Multi-signature wallets in public trust ledger actions via a database system

ABSTRACT

A request to perform an action related to a smart contract deployed on a blockchain may be received at a database system. The smart contract may be associated with a multi-signature authorization policy including one or more signature criteria for performing the action. A respective signature request message may be transmitted to a plurality of recipients. The signature request messages may identify the smart contract and the action. A plurality of signature response messages may be received. Two or more of the signature response messages may include a respective signature generated based on a respective private cryptographic key. An action execution message may be transmitted to execute the smart contract to perform the action. The action execution message may include the two or more signatures. The smart contract may be configured to perform the action when the two or more signatures comply with the multi-signature authorization policy.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to provisional U.S. Patent Application No. 63/365,897 (Attorney docket SFDCP113P) filed Jun. 6, 2022 by Prithvi Krishnan Padmanabhan, titled “MULTI-SIGNATURE NON-CUSTODIAL WALLETS IN PUBLIC TRUST LEDGER ACTIONS VIA A DATABASE SYSTEM”, which is hereby incorporated by reference in its entirety and for all purposes.

FIELD OF TECHNOLOGY

This patent document relates generally to database systems and more specifically to interactions between database systems and public trust ledgers.

BACKGROUND

“Cloud computing” services provide shared resources, applications, and information to computers and other devices upon request. In cloud computing environments, services can be provided by one or more servers accessible over the Internet rather than installing software locally on in-house computer systems. Users can interact with cloud computing services to undertake a wide range of tasks.

Another mechanism for storing information is a public trust ledger, such as a blockchain. A public trust ledger is a distributed repository in which transactions are recorded. Transactions can be monetary, such as recording a payment, or non-monetary, such as recording a transfer of ownership. A public trust ledger is a distributed repository that is publicly accessible and that is secured based on cryptographic protocols.

Cloud computing systems provide platforms for a variety of computing operations. However, a cloud computing environment is typically controlled by a service provider that supervises and governs the environment. A public trust ledger does not depend on a trusted party to manage it, but does not provide a platform for many of the types of operations performed within a cloud computing system. Accordingly, improved techniques for transaction management are desired.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve only to provide examples of possible structures and operations for the disclosed inventive systems, apparatus, methods and computer program products for blockchain action authentication. These drawings in no way limit any changes in form and detail that may be made by one skilled in the art without departing from the spirit and scope of the disclosed implementations.

FIG. 1 illustrates an example of an overview method for smart contract multi-signature authorization, performed in accordance with one or more embodiments.

FIG. 2 illustrates an ecosystem facilitating interactions between a database system and a public trust ledger, configured in accordance with one or more embodiments.

FIG. 3 illustrates an example of an arrangement of elements in a database system, configured in accordance with one or more embodiments.

FIG. 4 illustrates an architecture diagram of a system facilitating interactions between a database system and a public trust ledger, configured in accordance with one or more embodiments.

FIG. 5 illustrates an example of a smart contract, configured in accordance with one or more embodiments.

FIG. 6 illustrates an example of a method for creating a digital asset, performed in accordance with one or more embodiments.

FIG. 7 illustrates an example of a procedure for minting a token, performed in accordance with one or more embodiments.

FIG. 8 illustrates an example of a method for identifying one or more parties associated with a digital asset, performed in accordance with one or more embodiments.

FIG. 9 illustrates an example of a method for transferring a digital asset non-fungible token, performed in accordance with one or more embodiments.

FIG. 10 illustrates a method for transferring a digital asset, performed in accordance with one or more embodiments.

FIG. 11 illustrates an example of a messaging procedure for transferring a token, performed in accordance with one or more embodiments.

FIG. 12 illustrates an example of a messaging procedure for creating an account, performed in accordance with one or more embodiments.

FIG. 13 illustrates an example of a procedure for communicating with a public trust ledger via a non-custodial wallet, performed in accordance with one or more embodiments

FIG. 14 illustrates one example of a method of controlling actions related to a smart contract, configured in accordance with one or more embodiments.

FIG. 15 illustrates a diagram of a public trust ledger synthetic party, configured in accordance with one or more embodiments.

FIG. 16 shows a block diagram of an example of an environment that includes an on-demand database service configured in accordance with some implementations.

FIG. 17A shows a system diagram of an example of architectural components of an on-demand database service environment, configured in accordance with one or more embodiments.

FIG. 17B shows a system diagram further illustrating an example of architectural components of an on-demand database service environment, configured in accordance with one or more embodiments.

FIG. 18 illustrates one example of a computing device, configured in accordance with one or more embodiments.

FIG. 19 illustrates an example of a method for deploying a smart contract configured to support multi-signature action authorization, performed in accordance with one or more embodiments.

FIG. 20 illustrates an example of a method for configuring a smart contract multi-signature policy, performed in accordance with one or more embodiments.

FIG. 21 illustrates an example of a method for executing a smart contract multi-signature policy, performed in accordance with one or more embodiments.

FIG. 22 illustrates an example of a method for updating a smart contract multi-signature policy, performed in accordance with one or more embodiments.

FIG. 23 illustrates a method for performing an action at a smart contract, performed in accordance with one or more embodiments.

DETAILED DESCRIPTION

Techniques and mechanisms described herein relate to interactions between an on-demand database system and a public trust ledger such as a blockchain. A smart contract multi-signature policy may be created that specifies a number of signatures required to perform an action related to a smart contract, as well as one or more roles for accounts authorized to provide the signatures. Then, when a blockchain-related action is requested within a database system, the database system may generate a crypto transaction envelope that identifies the action, and provide the crypto transaction envelope for signature. The signed request may be transmitted to the blockchain for executing the requested actions when the crypto transaction envelope has been signed by authorized accounts in accordance with the smart contract multi-signature policy.

An on-demand database system allows entities to store information such as records of transactions. However, in conventional systems, an on-demand database system is typically controlled by a service provider, requiring parties to a transaction recorded in the on-demand database system to trust that the service provider will continue to exist, will maintain an adequate level of security, will not permit the transaction record to be lost or corrupted, and will generally behave in a trustworthy manner.

Techniques and mechanisms described herein provide for interactions between an on-demand database system and a public trust ledger. A public trust ledger provides a way to record transactions in a manner that is secure, publicly verifiable, and free from control of any one entity. For instance, the database system may interact with the public trust ledger to record transactions related to the creation and transfer of ownership and other rights in digital assets referenced within the on-demand database system. The public trust ledger may then serve as a source of truth that it is independent of the service provider. A trust ledger may be variously referred to herein as a public trust ledger or a distributed trust ledger.

According to various embodiments, techniques and mechanisms described herein may facilitate the creation of fungible and/or non-fungible tokens. For instance, an entity accessing services via the on-demand computing services environment can easily and dynamically create any number of non-fungible tokens corresponding with digital assets such as avatars, apparel, characters, promotional material, or any other digital item.

Consider the example of Alexandra, an employee for a company “Acme” accessing computing services via the on-demand database system. Alexandra would like to create a number of fungible and/or non-fungible tokens on a blockchain for purposes such as instituting a customer rewards program, connecting physical and digital products, and building Acme's presence in the metaverse. However, both Acme and Alexandra are concerned about potential security risks.

When using conventional techniques, mitigating blockchain-related security risks can be quite difficult. For example, Alexandra may wish to authorize other Acme employees to perform blockchain-related actions on Acme's behalf, such as deploying smart contracts and minting tokens. However, such authorization creates the risk that such employees may, through error or malice, take actions that cause harm to Acme. For instance, an authorized employee such as Mallory may maliciously mint a large quantity of tokens directly to wallets under Mallory's control. Because operations recorded on the blockchain are irrevocable, such an action could result in a substantial alteration in ownership and value of Acme's tokens.

In contrast, when using techniques and mechanisms described herein, Alexandra may configure a smart contract with a multi-signature authorization policy. The multi-signature authorization policy may require that any deployment actions related to Acme's smart contracts be signed by at least three accounts authorized to perform such an action. Further, the multi-signature authorization policy may require that any minting actions require four signatures by three accounts authorized to mint tokens, as well as a mandatory signature by Alexandra herself. In this way, Alexandra may maintain the security of Acme's blockchain-related operations and ensure that no one person can initiate a security breach.

According to various embodiments, techniques and mechanisms described herein may provide technical solutions that facilitate a variety of new ways for organizations to interact with customers. For example, an organization may employ branded collectibles represented by digital assets, facilitating expanded community engagement. As another example, an organization may bundle real world and digital experience linked to digital assets. As yet another example, an organization may securely send exclusive codes for benefits such as early access, discounts, VIP tickets, and gift cards. As still another example, an organization may build a loyal base of customers with free or gamified rewards across different use cases.

According to various embodiments, techniques and mechanisms described herein may facilitate the integration of blockchain data with database system data such as customer relations management (CRM) data and analytics. For instance, information stored in a database system, such as CRM data, may be linked with publicly verified information stored in a block chain to provide a combination of control, security, and verifiability. Such linkages may help to support, for instance, partnerships between organizations such as cross-brand partnerships and promotions.

According to various embodiments, techniques and mechanisms described herein may provide for scalability. Conventional techniques for interacting with public trust ledgers do not support enterprise-level exchange of digital assets. However, techniques and mechanisms described herein provide technological solutions for scaling digital asset exchange to the enterprise level, ensuring that transactions can occur quickly and efficiently even at high transaction throughput levels.

According to various embodiments, techniques and mechanisms described herein provide for smart contract generation and management. In addition to supporting simple tokens, various embodiments can support modeling complex asset classes. For example, smart contracts may include rules governing transactional aspects such as the number of transactions, type of transactions, and identities of parties.

According to various embodiments, techniques and mechanisms described herein provide technological solutions for facilitating interactions between database systems and public trust ledgers such as blockchain. For example, based on these techniques and mechanisms a blockchain may be used to store verification information, while other types of data may be stored in the database system. Such configurations can provide enhanced speed, reduced transaction costs, and improved data security as compared with conventional techniques. For instance, transactions may be publicly verified while at the same time storing data in a way that is consistent with privacy regulations.

According to various embodiments, techniques and mechanisms described herein may provide for enhanced transaction fee management techniques. When using conventional techniques, transaction fees may fluctuate based on the state of the public trust ledger. However, in some implementations described herein, a party may pay a fixed transaction fee to the database system. The fee may be determined based on, for instance, an asset type, a party type, or other such information. The database system may then communicate with the public trust ledger to record the transaction.

In particular embodiments, the database system service provider may employ a technology such as the Layer 2 protocol to facilitate interactions with a public trust ledger. In such an approach, the service provider may perform operations such as validation and minting within its own blockchain. Then, transactions may be recorded in a widely available public blockchain such as Ethereum. Such an approach may provide the benefits of publicly recording transactions as well as reducing transaction costs, since more costly transactions may be performed within the database service provider's blockchain, while employing the widely available public blockchain for less costly recordation operations.

As used herein, the terms “database” and “public trust ledger” are distinct. For example, a database system is controlled by a particular database administrator or service provider, whereas a public trust ledger is a peer-to-peer system in which transactions are publicly recorded in a manner that is outside the control of any one particular organization.

FIG. 1 illustrates an example of a smart contract multi-signature authorization overview method 100, performed in accordance with one or more embodiments. According to various embodiments, the method 100 may be performed at one or more computing devices within a database system.

A smart contract configured to implement a multi-signature authorization policy including one or more signature criteria is deployed to the blockchain at 102. According to various embodiments, the smart contract multi-signature authorization policy may identify information such as a number of signatures needed to perform actions related to a smart contract, as well as roles associated with the needed signatures. Additional details regarding the deployment to a blockchain of a smart contract configured to enforce such a policy, as well as the determination of such a, policy are discussed with respect to the method 1900 shown in FIG. 19 and the method 2000 shown in FIG. 20 . Additional details regarding the updating of such a policy for a smart contract already deployed on the blockchain are discussed with respect to the method 2200 shown in FIG. 22 .

A request at a database system to perform one or more operations related to the smart contract is received at 104. According to various embodiments, the request may be received via a communication interface, and may be generated automatically or based on user input. In some configurations, more than one request may be received in succession, identifying various actions to be performed. Examples of such actions may include, but are not limited to: minting tokens, minting a designated number of tokens, changing a price associate with a token, changing a price beyond a designated threshold level, pausing transfer of one or more tokens, changing a role related to a smart contract, and/or any other relevant operations.

An action request message including one or more authorization signatures is transmitted to the blockchain at 106. In some embodiments, the authorization signatures may be secured by generating a crypto transaction envelope, for instance at a database system. The crytpo transaction envelope may include a manifest identifying one or more actions to be performed. Additional details regarding crypto transaction envelopes and their construction are discussed with respect to the diagram 300 shown in FIG. 3 .

In some implementations, the database system may automatically initiate communications with accounts associated with roles authorized to sign the crypto transaction envelope. Alternatively, or additionally, one or more messages may be manually sent, for instance by an account associated with a request received at operation 104, to a recipient authorized to sign the crypto transaction envelope. Additional details regarding receiving a request to perform actions related to a smart contract and securing signatures authorizing the performance of those actions are discussed with respect to the method 2100 shown in FIG. 21 .

The one or more operations are performed at 108 when it is determined that the signature criteria have been met. In some implementations, performing the one or more operations may involve facilitating communication between the database system and the smart contract. For instance, the crypto transaction envelope may be sent from the database system to the smart contract, which may be executed locally or on a remote machine. The smart contract may then verify the authenticity of the signatures and the satisfaction of the smart contract multi-signature authorization policy before performing the requested actions. Additional details regarding the performance of blockchain-related actions subject to a smart contract multi-signature authorization policy are discussed with respect to the method 2300 shown in FIG. 23 .

FIG. 2 illustrates an ecosystem 200 facilitating interactions between a database system and a public trust ledger, configured in accordance with one or more embodiments. The ecosystem 200 may be used to implement techniques described herein, and may be implemented using one or more devices and systems shown in FIG. 16 , FIG. 17A, FIG. 17B, and FIG. 18 .

The ecosystem 200 includes a public trust ledger 202. According to various embodiments, the public trust ledger 202 may store information related to digital assets and transactions pertaining to digital assets. The public trust ledger 202 may be cryptographically verifiable. For example, the public trust ledger may employ one or more cryptographic technologies to provide a transparent, immutable, and cryptographically-verifiable log of transactions stored in the database.

In some implementations, the public trust ledger 202 may be configured so as to provide a single, consistent state at any time, allowing requests to continue to be processed despite failures or attacks. Requests to update the global state of the public trust ledger 202 may be implemented in a consistent manner. Such requests may be globally ordered via consensus between nodes.

Replica nodes are shown at 204, 206, 208, and 210. According to various embodiments, each replica node may be implemented via VMware. However, other types of node management tools may be used instead of, or in addition to, VMware. A replica node may process requests to verify or change the state of the public trust ledger 202.

According to various embodiments, the replica nodes may provide Byzantine fault tolerance (BFT). In a Byzantine fault, a component such as a server can inconsistently appear both failed and functioning to failure-detection systems, presenting different symptoms to different observers. It is difficult for the other components to declare it failed and shut it out of the network, because they need to first reach a consensus regarding which component has failed in the first place. However, the ecosystem 200 may use techniques such as the BFT State Machine Replication protocol and Merkle Tree data structures to ensure that the Replica and Client nodes' data are identical and to therefore provide tolerance against such faults.

According to various embodiments, interactions with the replica nodes may be conducted via client nodes, such as the client nodes 212 and 214. Each of the client and replica nodes may implement an application procedure interface (API) such as a Digital Asset Modeling Language (“DAML”) ledger API server. According to various embodiments, DAML is an open-source smart contract language that aids in modeling agreements and runs on blockchain platforms. DAML Ledgers enable multi-party workflows by providing parties with a virtual shared ledger, which encodes the current state of their shared contracts, written in DAML.

In some implementations, a client node may communicate with one or more parties 216, 218, 220, 222 via a network such as the internet. According to various embodiments, a party may be a computing device on which an account in the public trust ledger has been authenticated, communicating via a secured session. For example, a party may submit a request to a client node, in accordance with methods described herein. The client node may send requests to one or more of the replica nodes and receive the results of running the requests. A client node may include a privacy-filtered subset of the state of the public trust ledger.

FIG. 3 illustrates an example of an arrangement of elements in a database system 300, configured in accordance with one or more embodiments. The database system 300 includes entities representing crypto transactions 302, crypto wallet roles 304, crypto wallets 306, crypto products 308, assets 310, order items 312, orders 314, orgs 316, users 318, accounts 320, product attributes 322, product attribute set items 324, product attribute sets 326, product attribute set products 328, product categories 330, and products 332.

In some implementations, different entities may be stored in different database tables. Alternatively, two or more entities may be stored in the same database table, for instance in a dynamic schema database in which the contents of particular fields in a database table row depend on the entity type stored in that row.

According to various embodiments, the wallet table 306 may include entries that uniquely identify wallets in a public trust ledger. For example, an entry in the wallet table 360 may include a wallet ID associated with the database system and/or an account ID associated with an account in a public trust ledger such as a blockchain. Such an entry may also include one or more identifiers associated with an org 316, a user 318, and/or an account 320. An org 316 may represent a database system account associated with an entity to which the database system provides on-demand computing services. A user 318 may represent a user account associated with an individual authorized to perform one or more operations with respect to the database system on behalf of an org. An account 320 may represent another organizational or individual entity, for instance one who receives a digital asset created in association with an org 316.

According to various embodiments, the crypto wallet role table 304 may indicate one or more roles assigned to an org 316, user 318, or account 320. Such roles may include, but are not limited to: full or partial owner, buyer, issuer, royalty receiver, and modifier. In some configurations, a role may be specific to a particular product and/or product category.

According to various embodiments, the product table 332 includes entries that identify the products to which the digital assets relate. An entry in the product table 332 may include a product ID that uniquely identifies the product. The product category 330 may indicate a product record type such as an NFT, a branded token, a cryptocurrency, or any other suitable product type. Attributes of products may be represented in one or more of the product attribute set product table 328, the product attribute set table 326, and the product attribute set item table 324.

According to various embodiments, the crypto product table 308 includes content information associated with a digital asset. An entry in the crypto product table 308 may include a content ID that identifies the content and/or a product ID 312 identifying a product to which the digital asset relates. In some implementations, the entry may also include or reference digital content. The digital content may include, for example, media data associated with a product. Such media data may include, but is not limited to: one or more videos, animations, images, documents, or audio segments. In some configurations, the digital content data may be stored within the crypto product table 308. Alternatively, or additionally, digital content data may be stored in a different location and a reference to that location or data stored within the crypto product table 308.

According to various embodiments, the asset table 310 may store information about digital assets associated with tokens. For example, a digital asset may be a fungible token such as cryptocurrency or rewards program points. As another example, a digital asset may be ownership of, copyright to, or some other right related to an NFT. Various types of digital assets are possible, and a single product may be associated with more than one digital asset.

According to various embodiments, an entry in the asset table 310 may include a digital asset ID 310 that uniquely identifies the digital asset. An entry may also include a digital asset record type that identifies the type of digital asset. For instance, the digital asset record type may be an NFT, branded token, cryptocurrency, or any other suitable digital asset type.

According to various embodiments, the crypto transactions table 302 may store information related to transactions involving the assets identified in the asset table 310 and/or the crypto products identified in the crypto product table 308. Accordingly, an entry in the crypto transactions table 302 may include a transaction ID that uniquely identifies the transaction and a digital asset ID to which the transaction pertains. A single digital asset ID may be associated with more than one transaction. A transaction may be included within an order item 312, which may in turn be included within an order 314. In some implementations, an entry in the asset transaction table 350 may include a transaction status field storing information such as whether the transaction is pending, canceled, or complete.

The configuration of tables shown in FIG. 3 is only one example of a database system configuration that may be used in conjunction with techniques and mechanisms described herein. According to various embodiments, any of a variety of database system configurations may be used. For example, two or more of the tables shown in FIG. 3 may instead be implemented in a single table. As another example, information shown in FIG. 3 as being stored in a single table may instead be stored in more than one table. As yet another example, tables shown in FIG. 3 may include other information not represented in FIG. 3 .

In the database representation shown in FIG. 3 , a split connection indicates a potentially one-to-many relationship. For example, an order 314 may include more than one order item 312. However, the types of relationships and connections between entities shown in FIG. 3 represent only one possible arrangement of data entities within a database system. In practice, a wide variety of configurations may be used in keeping with techniques and mechanisms described herein.

In some implementations, the database system 300 may be implemented as a multitenant database. Alternatively, a different type of database architecture may be employed.

According to various embodiments, the database system 300 may include many components other than those shown in FIG. 3 . Examples of the types of components that may be included in a database system are discussed with respect to FIG. 16 , FIG. 17A, FIG. 17B, and FIG. 18 .

According to various embodiments, a crypto wallet 306 may be associated with one or more crypto product category wallet roles 340. A crypto product category wallet role 340 may indicate one or more roles authorized to perform one or more actions with respect to the crypto wallet. Such roles may be occupied by individuals, identified by the crypto user role 344. A crypto wallet approved list 342 may identify a correspondence between crypto product categories and crypto product category wallet roles.

According to various embodiments, a crypto transaction envelope 356 may be created to encapsulate changes on the blockchain initiated from the database system, before such changes are requested by the database system. The crypto transaction envelope 356 may serve as a header record identifying actions that are being performed. For instance, a crypto envelope change list included in the crypto transaction envelope 356 may identify changes that are being made by the crypto envelope. The changes included in the crypto change list may have been made by a single user or by more than one users.

According to various embodiments, a crypto transaction envelope 356 may be created when particular operations are performed. One or more of the rules identifying actions that lead to the creation of a crypto transaction envelope 356 may be specified in one or more configuration parameters. For instance, actions that may trigger the creation of a crypto transaction envelope may include, but are not limited to: adding a role, minting one or more tokens, changing a price, the execution of particular smart contract methods, or other actions related to the blockchain. Techniques and mechanisms for configuring crypto envelope creation and signature rules are discussed in additional detail with respect to the method 1900 shown in FIG. 19 .

According to various embodiments, a crypto transaction envelope 356 may be submitted to one or more document recipients 352 for signing. A document recipient may be identified by, for instance, a wallet identifier or a user identifier. The document recipient may sign the crypto transaction envelope with a private key at 348. The signature may be recorded in the document recipient object 346 along with the envelope identifier. Information related to signatures may be recorded in the service report 360 and/or the document envelope 358, which collectively with the crypto envelope 356 form a signed document 354.

FIG. 4 illustrates an architecture diagram of a system 400 facilitating interactions between a database system and a public trust ledger, configured in accordance with one or more embodiments. The system 400 includes an end user 402, an entity 404, a database system 406, a token app 408, a system administrator 410, an API 412, and a ledger 416. FIG. 4 illustrates, at a high level, some of the interactions between such components, interactions which are explored in additional detail throughout the application.

According to various embodiments, the end user 402 may be a computing device associated with a user interacting with the entity 404. For example, the end user 402 may sign up to establish a public trust ledger account for accessing digital assets and may purchase, or be awarded, such assets. As used herein, the term “purchase” may refer to a transaction in which a digital asset is acquired in exchange for currency. However, the term “purchase” may also refer to other types of transactions, such as when a user is awarded a digital asset as an incentive or reward.

According to various embodiments, the entity 404 may be an organization accessing computer services provided by the database system 406. For example, the entity 404 may be a business accessing customer relations management services, data storage services, or any other computing services via the database system 406.

According to various embodiments, the database system 406 may be configured to provide various services to a variety of entities via the internet. Such services may include, but are not limited to CRM services, sales management services, account service management services, social media services, and training services. Examples of components included in a database system are discussed in additional detail throughout the application, for example with respect to the FIG. 16 , FIG. 17A, FIG. 17B, and FIG. 18 .

According to various embodiments, the database system 406 may include a token app 408 for performing operations related to digital assets. The entity 404 may communicate with the database system 406 to perform operations such as creating an account for the end user 402, request to transfer a digital asset to the user's account, and/or receive information relating to such transactions.

According to various embodiments, the system administrator 410 may be a computing device authenticated to an individual configured to perform administrative operations on behalf of the entity 404. For example, the system administrator 410 may perform operations such as creating digital assets and associated tokens and/or receiving notifications related to digital assets.

According to various embodiments, the ledger API 412 may provide a point of contact for interacting with the public trust ledger. For example, the token app 408 may send and receive administrative communications with the API 412. Such communications may include, for instance, various configuration operations.

The API 412 may include a DAML API. According to various embodiments, the DAML API may be configured to communicate directly with the public trust ledger, for instance in a custodial wallet configuration. For instance, the DAML API may be configured to perform operations such as specifying transactions for recording in the ledger 416.

In some implementations, the API 412 may be an interface associated with a non-custodial wallet. For example, a Metamask wallet may be connected with the database system. The database system may then communicate with the Metamask wallet to perform one or more blockchain-related applications. For instance, the database system may send a blockchain-related instruction to the Metamask wallet, where the wallet owner may sign the instruction with a private key to perform an action on the blockchain.

In some implementations, communication with the public trust ledger 416 through the API may be role-specific. For instance, a smart contract may be associated with various roles, such as minter, royalty recipient, administrator, smart contract owner, token owner, and the like. Accordingly, the database system 406, the API 412, and/or the blockchain 416 may validate requests to determine whether a requester is associated with a role that allows the requester to perform the requested action. Additional details regarding roles are described with respect to the diagram 1500 shown in FIG. 15 .

In some implementations, communication with the public trust ledger 416 through the API 412 may include a blockchain parameter. For instance, the database system 406 may support interaction with more than one blockchain. In such a situation, the API 412 may be used to communicate with more than one blockchain, and a parameter value may identify the blockchain that is the subject of a particular communication interaction. The API 412 may communicate with the database system 406 to tailor operations for a particular blockchain. For instance, the system may select a particular smart contract byte code implementation depending on the blockchain parameter.

FIG. 5 illustrates an example of a smart contract 500, configured in accordance with one or more embodiments. According to various embodiments, the smart contract 500 may be used to record transactions related to digital assets in a public trust ledger. The smart contract 500 includes a public key 502, a private key 504, a transaction interface 506, an owner ID 508, a smart contract ID list 510, one or more item tokens 512, smart contract metadata 520, and a multi-signature policy 524.

In some implementations, the smart contract 500 is a computer program that may be included within a public trust ledger such as a blockchain. The smart contract 500 may then be executed to perform one or more operations, accessible via the transaction interface 506. Such transactions may include, but are not limited to: transferring ownership of one or more item tokens 512, providing one or more entries on the smart contract id list 510, and identifying the owner 508.

According to various embodiments, a smart contract may be implemented as a template and one or more instances of the template. For example, a template may be created for a particular type of token. Then, an instance of the smart contract template may be used to store some quantity of the token. For example, an instance of a smart contract may store one or more NFTs of a particular type and owned by a particular account. As another example, an instance of a smart contract template may store a quantity of a fungible token of a particular type and owned by a particular account. An instance of a smart contract template may be identified by, for example, an execution ID.

According to various embodiments, communication with the smart contract 500 may be secured via the public key 502 and the private key 504. The public key 502 is publicly available to anyone with access to the public trust ledger, while the private key 504 is private to the smart contract 502. Any system may employ the public key 502 to encrypt a message that can only be decrypted by the smart contract's private key. Similarly, the smart contrast 500 may encrypt a message using the private key 504. Although anyone may decrypt the message using the public key 502, the recipient of the message may verify that the message was sent by the smart contract 500 by virtue of its being decryptable using the smart contract's public key 502.

In some configurations, the public key 502 and the private key 504 may be used to encrypt some or all of the communication with the smart contract 500. Alternatively, or additionally, the public key 502 and the private key 504 may be used to facilitate a key exchange for the purpose of establishing a secure communication session between the smart contract 500 and another party to the communication session.

According to various embodiments, the owner ID 508 identifies the owner of the smart contract 500 and the included one or more tokens 512. The owner ID 508 may indicate an account in the public trust ledger. By authenticating as the owner associated with the owner ID 508, the owner may be able to authorize one or more transactions associated with the smart contract 500, such recording a transaction transferring the token 512 to a different party.

In some implementations, the smart contract ID list 510 may identify one or more other smart contracts associated with the smart contract 500. For example, the smart contract ID list 510 may identify one or more other smart contracts that are chained with the smart contract 500. In some configurations, one or more of the smart contracts identified by the smart contract ID list 510 may need to be executed in order for the smart contract 500 to be executed.

In some embodiments, the item token 512 identifies the digital asset being transferred. The token 512 includes a token ID 514, a digital asset ID 516, a token type 518, and token metadata 522. The digital asset ID 516 is an identifier that identifies a digital asset recorded in a database system. For instance, the digital asset ID 516 may correspond with a value in column 314 for an entry in the digital asset table 310.

According to various embodiments, the token ID 514 is an identifier created when the token 512 is minted. The token ID 514 uniquely identifies the token 512 within the public trust ledger. The token type 518 indicates the type of token represented by the token 512. For example, the token type 518 may indicate ownership of the digital asset ID 516. As another example, the token type 518 may indicate ownership of one or more rights associated with the digital asset ID 516. Examples of such rights may include, but are not limited to: some or all of the copyrights associated with the digital asset identified by the digital asset ID 516, the right to transfer the digital asset identified by digital asset ID 516, or the right to transfer rights associated with the digital asset identified by digital asset ID 516.

In some implementations, a smart contract 500 may include a single token 512. Alternatively, a smart contract 500 may include more than one token. For example, the ERC-1155 standard as well as other types of token standards provide for multiple tokens within the same smart contract 500.

In some embodiments, the token 512 may be non-fungible. However, as discussed herein, techniques and mechanisms described herein may also be used in conjunction with fungible tokens.

According to various embodiments, the smart contract metadata 520 may include information stored within the smart contract that may be used for various purposes. For example, the smart contract metadata may include information used to determine whether a requested transfer is permissible. For instance, the smart contract metadata may include information such as the number of times a token may be transferred, the identities of one or more parties to whom the token may or may not be transferred, or other such constraints. Such information may be specified in any suitable format, such as JSON or XML.

According to various embodiments, the token metadata may include one or more attributes of a token minted by the smart contract. For instance, in the case of an NFT, the token metadata may identify unique characteristics of the NFT. In some configurations, token metadata may include a reference to information stored outside the blockchain. For example, the token metadata may include a URI or other identifier associated with information stored in the InterPlanetary File System (IPFS), Filecoin, or other distributed storage system. As another example, the token metadata may include a URI or other identifier associated with information stored elsewhere in the same or a different blockchain. As another example, the token metadata may include a URI or other identifier associated with information stored in a different location, such as YouTube.

According to various embodiments, the smart contract multi-signature policy 524 may be used to enforce one or more signature requirements for performing a smart contract action via the transaction interface 506. The multi-signature policy 524 may be stored in a JSON format or any other suitable format for indicating a number of signatures, one or more roles, and/or one or more account identifiers needed to perform one or more actions related to the smart contract 500.

In some embodiments, when a multi-signature policy for a smart contract is successfully updated, the updated multi-signature policy may be stored on the blockchain itself. For instance, the current multi-signature policy for a smart contract may be the multi-signature policy most recently written to the blockchain via the updating process. One example of a process for updating a multi-signature policy for a smart contract is discussed with respect to the method 2200 shown in FIG. 22 .

FIG. 6 illustrates an example of a method 600 for creating a digital asset, performed in accordance with one or more embodiments. According to various embodiments, the method 600 may be performed at one or more computing devices within an on-demand computing services environment. The method 600 may be performed in order to create a digital asset and one or more associated tokens with one or more corresponding smart contracts.

A request to generate a digital asset is received at 602. According to various embodiments, the request may be received within the on-demand computing services environment. For example, an asset manager may provide user input requesting that the digital asset be generated. As another example, a digital asset may be generated automatically, for instance based on an automated script that is executed at a designated time or upon detection of a triggering condition. For instance, when a reference to a physical asset is added to the database system, a configuration parameter may indicate that a corresponding digital asset should be created as well.

One or more configuration parameters for generating the digital asset are identified at 604. In some implementations, a configuration parameter may be specified via user input. Alternatively, or additionally, a configuration parameter may be determined automatically, for instance based on a predetermined configuration file or a default configuration value.

According to various embodiments, various types of configuration parameters may be employed. Some parameters may relate to one or more rights that may be conferred by ownership of a digital token. Such parameters may include, but are not limited to: one or more rights to a digital asset, whether a right may be transferred, the number of times a right may be transferred, whether rights are separable or must be transferred together, and whether ownership may be fractional. Some parameters may relate to the nature of one or more tokens. Such parameters may include, but are not limited to: the quantity of tokens created, media content such as images, videos, sounds, or animations for creating the tokens, and/or one or more templates for smart contract and/or token creation.

In particular embodiments, the one or more configuration parameters may include metadata for generating the digital asset. For example, a product object as stored in the database system may be extensible in that in can include additional metadata. That metadata may include, for example, structured and/or unstructured data or rules, which may be used to generate token metadata for storing in the public trust ledger. That token metadata may be used in a variety of ways, such as for validating a transfer request against one or more transfer rules.

In particular embodiments, metadata may be stored in the public trust ledger in a privacy-sensitive manner. For example, personally identifying information such as a social security number, email address, or other such data may be hashed, and the resulting hash values stored in the public trust ledger. In this way, ownership of a token in the public trust ledger may be tied not only to a database account identifier, but also to personally identifying information. For instance, a verification process may involve hashing a known element of personally identifier information and ensuring that the resulting hash value matches information stored in the trust ledger. However, the personally identifying information need not be stored in the trust ledger in a cleartext state and therefore need not be publicly and permanently revealed.

A database system account associated with the digital asset is identified at 606. In some embodiments, the database system account may be identified based on the request received at 602. For instance, the request may be received from a computing device having authenticated in association with the database system account.

In some implementations, the database system account may correspond to an individual. Alternatively, the database system account may correspond to a different type of entity, such as an organization.

In particular embodiments, the database system may be a multitenant database configured to store information associated with multiple entities, or tenants, in the same database table. In such a configuration, the database system account may correspond to one of the tenants.

A public trust ledger account associated with the database system account is identified at 608. According to various embodiments, the public trust ledger account may be identified by consulting a correspondence table within the database system that links database system accounts with public trust ledger accounts. An example of such a table is shown in FIG. 3 .

A template for generating a smart contract and token for transferring ownership of the digital asset is identified at 610. In some implementations, the template may identify attributes of the smart contract and/or token such as one or more of the parameters identified at 604.

A token assigning ownership of the digital asset to the database system account is generated based on the template at 612. According to various embodiments, generating the token may involve operations such as identifying attributes other than those specified in the template. For instance, a set of NFTs may be generated for various color combinations of a digital asset, such as an item of digital apparel that is usable in conjunction with a digital avatar. In such a situation, attributes specific to the NFT may be combined with the template identified at 610 and the distributed trust ledger account 608 to generate the NFT.

The smart contract and token are recorded in a public trust ledger at 614. In some implementations, the smart contract and token may be recorded by executing a token minting process. The token minting process may involve executing a smart contract on a public blockchain, such as the Ethereum blockchain. However, techniques and mechanisms described herein are not limited to Ethereum, and instead are applicable to any blockchain or other public trust ledger that supports smart contracts. The minting process may involve one or more operations such as confirming the token as an asset on the blockchain, updating the account balance of the blockchain account identified at 326 to include the minted token, adding one or more transactions confirming such information to a block, and confirming the block to others within the blockchain network. The smart contract may be executed in part based on computations performed by one or more blockchain miners.

In particular embodiments, such as when the token is a fungible token, recording the token in a distributed trust ledger may involve registering the token in an exchange as exchangeable. Fungible tokens may include, but are not limited to, branded tokens, cryptocurrency, loyalty points, or other such interchangeable assets.

According to various embodiments, fungible and non-fungible tokens may vary in any of several ways. For example, non-fungible token may be required to possess one or more unique attributes. As another example, fungible tokens may be configured so as to be subdividable.

The database system is updated to include the reference to the token at 616. According to various embodiments, updating the database system may include generating or updating a database entry to include one or more identifiers associated with the token. For instance, a token ID, a token smart contract ID, a digital trust ledger account ID, and/or any other relevant information may be added to the database system. Additional details regarding the types of information that may be stored are described with respect to FIG. 3 .

According to various embodiments, the method 600 may be performed in order to generate more than one digital asset. For instance, a set of digital assets may be generated for virtual clothing to be worn by digital avatars. In such a situation, a digital asset may be generated for each of a variety of combinations of clothing colors.

FIG. 7 illustrates an example of a procedure 700 for minting a token, performed in accordance with one or more embodiments. According to various embodiments, the token minting procedure may involve interactions between the database system 702, the wallet API 704, and the ledger API 706.

At 708, upon receiving a request to mint a token, the database system may authenticate the party associated with the request to the wallet API 704. For instance, the database system may verify to the wallet API that the database system includes has access to authentication credentials associated with the request issuer.

An issuer party JSON web token (JWT) is requested at 710 and returned at 712. According to various embodiments, a JWT is a token that facilitates the creation of data. A JWT payload may include JSON that asserts some number of claims. A JWT may be signed an/or encrypted. When a request is made by the database system to mint a token, receiving a JWT from the wallet API 704 allows the database system 702 to interacting with the ledger API 706 to mint the token on behalf of the wallet API 704. That is, the database system 702 may use the JWT to effectively authenticate as a particular wallet to the ledger API 706. It should be noted that a JWT is only one example of the way in which such authentication may occur.

A request to create an asset structure for the token is sent to the ledger API 706 at 714, and a response message is returned at 716. According to various embodiments, the request sent at 714 may define one or more characteristics of the token, for instance as discussed with respect to the method 600 shown in FIG. 6 .

A request to fund a party account is sent to the ledger API 706 at 718, and a response message is returned at 720 indicating that the party account has been funded. According to various embodiments, the request sent at 718 may be used to assign the asset to the wallet identified by the issuer party JWT returned at 712.

At 722, one or more records of the asset or assets are created in the database system. For example, one or more records discussed with respect to the database system 300 shown in FIG. 3 may be created.

FIG. 8 illustrates an example of a method 800 for identifying information associated with a digital asset, performed in accordance with one or more embodiments. In some implementations, the method 800 may be performed at an on-demand database system. Alternatively, or additionally, the method 800 may be performed at a system configured to analyze a public trust ledger.

A request message including a request to identify information associated with a digital asset is received at 802. According to various embodiments, the method 800 may be used to identify any of various types of information, such as a current or previous owner of an NFT associated with a digital asset or a digital asset own by a particular party.

According to various embodiments, the request may include any of various request parameters used to query digital asset information. For example, the request may include a token identifier associated with a digital asset. As another example, the request may include a trust ledger account ID that may own a digital asset. As another example, the request may include a database system account ID that may own a digital asset. As yet another example, the request may include a smart contract ID that may include a token for a digital asset. Various types of queries are possible. As still another example, the request may include a digital asset identifier associated with the database system.

A token ID and smart contract ID associated with the digital asset are identified at 804. According to various embodiments, such information may be identified in any of various ways. For example, such information may be included with the request received at 802. As another example, such information may be determined or verified by accessing the database system. For instance, one or more of the tables shown in FIG. 3 may be queried using information included in the request. As yet another example, such information may be determined or verified by analyzing the public trust ledger.

The public trust ledger is accessed at 806 to identify a public trust ledger account ID that owns the token ID. In some implementations, information from the public trust ledger may be accessed by syncing some or all of the distributed public trust ledger with a local machine. Alternatively, or additionally, a trusted platform that provides access to the public trust ledger may be queried to access the information.

The database system is accessed at 808 to identify a correspondence between a database system account and a public trust ledger ID. According to various embodiments, accessing the database system may involve querying the table 330 shown in FIG. 3 . For example, a database account ID may be used to identify a corresponding trust ledger account ID. As another example, a trust ledger account ID may be used to identify a corresponding database account ID.

According to various embodiments, when an identifier is identified, additional information may be identified as well. For instance, information about an database system account or public trust ledger account, such as the account name or other contact information, may be returned.

A determination is made at 810 as to whether to perform additional information verification. In some implementations, the determination may be made at least in part on the nature of the query. For instance, a query may indicate a request to identify all owners of rights that pertain to a particular digital asset. Alternatively, or additionally, the determination made at 810 may be made at least in part based on user input. For instance, a user may provide a request to identify additional information pertaining to a different or related right or digital asset.

According to various embodiments, queries may be linked in various ways. For example, to identify a copyright holder associated with a digital asset, the system may first identify a token and associated token owner for the digital asset. That information may then be used to identify a related NFT associated with copyright for the digital asset.

A response message is transmitted at 812. According to various embodiments, the response message may include any or all of the information discussed with respect to FIG. 8 , and/or any other suitable information.

According to various embodiments, the operations shown in FIG. 8 may be performed in an order different than that shown. For example, an identification process may start with a database account ID and then identify information such as one or more tokens and corresponding digital assets owned by a public trust ledger account associated with that database account ID. As another example, an identification process may start with a public trust ledger ID and then identify information such as a database account ID corresponding with the public trust ledger ID. Various types and combinations of queries are possible.

FIG. 9 illustrates an example of a method 900 for transferring a digital asset, performed in accordance with one or more embodiments. The method 900 may be performed at one or more computing systems within an on-demand database system. The method 900 may be used to transfer one or more NFTs providing ownership of a digital asset and/or other rights related to the digital asset from a first party to a second party.

A request is received at 902 to transfer a one or more rights for a digital asset from a first database account to a second database account. In some implementations, the request may be generated based on user input. For instance, a user associated with one database account may generate a request to transfer a right to a second database account. In some embodiments, the request may be generated automatically. For instance, the request may be generated when the database system detects that a transaction related to a digital asset has occurred.

A right is selected for transferring at 904. In some implementations, the right selected for transferring may be identified in the request received at 902. Alternatively, or additionally, one or more rights may be selected by a user, for instance by providing input via a user interface.

According to various embodiments, a digital asset transfer method may be used to transfer multiple NFTs associated with a digital asset. For example, a database account may transfer a first NFT providing ownership rights to the digital asset, a second NFT providing a limited copyright over the digital asset, and a third NFT providing a right to modify the digital asset. Alternatively, or additionally, a digital asset transfer method may be used to transfer an NFT providing rights over a digital asset without transferring ownership of the digital asset. For example, a database account may transfer a right to modify a digital asset without transferring ownership of the digital asset.

A determination is made at 906 as to whether the requested rights transfer is permissible. According to various embodiments, the determination made at 906 may involve determining whether rights associated with the digital asset are owned by the first database account. In some embodiments, one or more rights may be associated with the first database account by default. For instance, if the digital asset was created by the holder of the first database account, then that party may be assumed to hold copyright, transfer rights, and other such rights associated with the digital assets.

In some implementations, one or more rights may be associated with the first database account by virtue of the first database account owning an NFT associated with the rights. The ownership status of an NFT associated with the right may be verified in one or more of various ways. For example, the database system may record the current owner of the NFT, as discussed with respect to the database system 300 configured as shown in FIG. 3 . As another example, the ownership of the NFT may be validated by consulting the public trust ledger. An example of a method for verifying NFT ownership by interacting with a public trust ledger is shown in the method 800 in FIG. 8 .

In some implementations, the determination made at 906 may involve evaluating one or more validation rules determined based on metadata stored within the smart contract. For example, the smart contract may include a rule prohibiting the token from being transferred more than a designated number of times. As another example, the smart contract may include a rule prohibiting the token from being transferred to a particular entity.

A determination is made at 908 as to whether to generate a contractual agreement to transfer the right. According to various embodiments, the determination may be made at least in part based on the right being transferred. For example, ownership rights may not need a contractual agreement to facilitate a transfer, while a contractual agreement may be needed to transfer a copyright. As another example, a right may be transferrable without a signed contractual agreement in one jurisdiction, whereas a different jurisdiction may require a signed contractual agreement to effectuate a transfer. Such requirements may be stored as metadata within the database system and/or within the public trust ledger.

If a determination to generate a contractual agreement is made, then at 910 such an agreement may be generated. In some implementations, generating a contractual agreement may involve identifying a template associated with the type of rights being transferred and then completing that template with information associated with the specific transfer being effectuated. For instance, a template for transferring copyright over an item of digital apparel for an avatar may be filled out with information such as the identity of the party that currently owns the item, the identity of the party to whom the item is being transferred, and identifying information for the item being transferred.

Approval of the agreement is secured and recorded at 912. According to various embodiments, securing approval may be performed in any of various ways. For example, a party may sign an agreement using a digital signature mechanism. As another example, an agreement may be printed, physically signed by a representative of the party, and scanned. The particular method used to secure approval of the agreement may depend, for instance, on the type of rights being transferred and any specific requirements (e.g., jurisdictional requirements, requirements imposed by the parties, etc.) associated with the transfer of such rights.

In some implementations, approval may need to be secured from both parties. For instance, the transfer of ownership or copyright may involve securing approval from both the transferee and the transferor. Alternatively, approval may only need to be secured from one of the parties. For example, for some rights approval may need to be obtained only for the party transferring the right.

A determination is made at 914 as to whether the right is associated with an existing NFT. According to various embodiments, such a determination may be made by querying the database system 300 shown in FIG. 3 .

If the right is not associated with an existing NFT, an NFT and associated smart contract assigning the rights to the first database account may be created and recorded in a public trust ledger at 916. The creation and recordation of such an NFT may be substantially similar to the operations 510-516 shown in FIG. 5 .

In some implementations, more than one NFT may be created, for instance in the event that more than one right is selected for transfer. In such a situation, the creation and recordation of NFTs and smart contracts for the different rights may be performed as part of the same transaction.

A determination is made at 918 as to whether to select an additional right for transferring. According to various embodiments, additional rights may be selected until all rights identified for transferring are associated with a respective NFT and contractual agreements have been generated and approved wherever such agreements are indicated.

At 920, a transaction transferring ownership of the one or more NFTs is recorded in a public trust ledger. In some embodiments, multiple NFT transfers may be grouped into a single public trust ledger transaction. Alternatively, or additionally, an NFT transfer may be treated as a distinct transaction for recording within the public trust ledger.

The database system is updated at 922. According to various embodiments, updating the database system may involve storing an indication of the transactions recorded at operations 908 or 920. For instance, the database system 300 shown in FIG. 3 may be updated to indicate that the second party is now the owner and/or rights holder associated with the digital asset and that the first party is no longer the owner and/or rights holder.

In particular embodiments, NFT creation and/or transfer transactions may be combined in various ways. For example, the ERC-1155 standard allows for including multiple NFTs within the same smart contract. Such an approach may help to reduce the transaction costs associated with recording transactions in the public trust ledger.

FIG. 10 illustrates an example of a method 1000 for transferring a digital asset fungible token, performed in accordance with one or more embodiments. The method 1000 may be performed at one or more computing systems within an on-demand database system. The method 1000 may be used to transfer one or more fungible token providing ownership of a digital asset and/or other rights related to the digital asset from a first party to a second party.

A request is received at 1002 to transfer a one or more fungible tokens for a digital asset from a first database account to a second database account. In some implementations, the request may be generated based on user input. For instance, a user associated with one database account may generate a request to transfer a right to a second database account. In some embodiments, the request may be generated automatically. For instance, the request may be generated when the database system detects that a transaction related to a digital asset has occurred.

A determination is made at 1004 as to whether the requested transfer is permissible. According to various embodiments, the determination made at 1004 may involve determining whether rights associated with the digital asset are owned by the first database account. In some embodiments, one or more rights may be associated with the first database account by default. For instance, if the digital asset was created by the holder of the first database account, then that party may be assumed to hold copyright, transfer rights, and other such rights associated with the digital assets.

In some implementations, one or more rights may be associated with the first database account by virtue of the first database account owning a token associated with the rights. The ownership status of a token associated with the right may be verified in one or more of various ways. For example, the database system may record the current owner of the token, as discussed with respect to the database system 300 configured as shown in FIG. 3 . As another example, the ownership of the token may be validated by consulting the public trust ledger. An example of a method for verifying token ownership by interacting with a public trust ledger is shown in the method 800 in FIG. 8 .

In some implementations, the determination made at 1004 may involve evaluating one or more validation rules determined based on metadata stored within the smart contract. For example, the smart contract may include a rule prohibiting the token from being transferred more than a designated number of times. As another example, the smart contract may include a rule prohibiting the token from being transferred to a particular entity.

A determination is made at 1006 as to whether to transfer the entire token or tokens. According to various embodiments, fungible tokens may be configured so as to be subdivided. For instance, a quantity of cryptocurrency, loyalty tokens, branded tokens, or other such tokens may be subdivided and transferred only in part to the second entity.

According to various embodiments, whether to subdivide the token or tokens, as well as the amount to transfer if subdivided, may be indicated in the request received at 1002. Alternatively, or additionally, user input indicating such information may be received. As still another possibility, such information may be determined automatically, for instance by matching the subdivided portion to a quantity need to complete a purchase.

When it is determined to transfer the entire token or quantity of tokens, then at 1008 a transaction transferring the one or more tokens is recorded in the trust ledger. According to various embodiments, the transaction may be recorded by executing the first smart contract.

If instead a determination is made to transfer only a portion of the tokens, then at 1010 a balance on the first smart contract may be updated to remove a first portion of the token or tokens. At 1012, a second smart contract may be generated that assigns the first token portion to the second database account. Then, the transactions are recorded in a trust ledger at 1014. According to various embodiments, the transaction may be recorded at least in part by executing the first smart contract.

The database system is updated at 1016. According to various embodiments, updating the database system may involve storing an indication of the transactions recorded at operations 1008 or 1014. For instance, the database system 300 shown in FIG. 3 may be updated to indicate that the second party is the owner of the token, tokens, or token portions that were transferred, and that the first party is no longer the owner of the token, tokens, or token portions.

In particular embodiments, token creation and/or transfer transactions may be combined in various ways. For example, the ERC-1155 standard allows for including multiple tokens within the same smart contract. Such an approach may help to reduce the transaction costs associated with recording transactions in the public trust ledger.

FIG. 11 illustrates a messaging procedure 1100 for transferring a token, performed in accordance with one or more embodiments. According to various embodiments, the messaging procedure 1100 may be used in conjunction with one or more techniques or mechanisms described herein, such as the methods 900 and 1000 shown in FIGS. 9 and 10 .

A purchase request is sent from an entity 1102 at 1104. According to various embodiments, the entity 1102 may be any suitable entity within the database system. For example, the entity 1102 may be a computing device authenticated as a user or organization having a database system account. The purchase request may indicate one or more fungible and/or non-fungible tokens that the entity would like to purchase.

At 1106, upon receiving a request to purchase a token, the database system may authenticate the party associated with the request to the wallet API 704. For instance, the database system may verify to the wallet API that the database system includes has access to authentication credentials associated with the request issuer.

A buyer party JSON web token (JWT) is requested at 1108 and returned at 1110. According to various embodiments, when a request is made by the database system to purchase a token, receiving a JWT from the wallet API 704 allows the database system 702 to interacting with the ledger API 706 to transfer the token to the buyer's wallet. That is, the database system 702 may use the JWT to effectively authenticate as a particular wallet to the ledger API 706. It should be noted that a JWT is only one example of the way in which such authentication may occur.

Exchange services are requested at 1112 and confirmed at 1124. According to various embodiments, requesting exchange services may involve, for instance, initiating communication with the appropriate node. For example, the communication may involve establishing a communication with the node, verifying that the seller party is the owner of the token subject to the requested purchase, and/or verifying that the requested purchase is permissible.

A seller party JSON web token (JWT) is requested at 1116 and returned at 1118. According to various embodiments, when a request is made by the database system to purchase a token, receiving a JWT from the wallet API 704 allows the database system 702 to interacting with the ledger API 706 to transfer the token from the seller's wallet. That is, the database system 702 may use the JWT to effectively authenticate as a particular wallet to the ledger API 706. It should be noted that a JWT is only one example of the way in which such authentication may occur.

At 1120, the database system 702 requests to deposit the token from the seller's wallet. The deposit is confirmed at 1122. At 1124, the database 702 sends a request to perform the exchange. The exchange is confirmed at 1126. According to various embodiments, operations 1120 and 1122 may relate to, for example, the exchange of payment. The operations 1124 and 1126 may relate to the exchange of one or more tokens after payment is made and confirmed.

The asset account ID is updated in the database system at 1128. According to various embodiments, updating the asset account ID may involve updating a database entry associated with the digital asset to indicate that the purchaser is now the owner of the digital asset.

The asset transaction log status is updated at 1120. According to various embodiments, updating the asset transaction log status may involve creating or modifying an entry in the transaction table to indicate that the transaction has been completed.

A request to create an asset structure for the token is sent to the ledger API 706 at 714, and a response message is returned at 716. According to various embodiments, the request sent at 714 may define one or more characteristics of the token, for instance as discussed with respect to the method 600 shown in FIG. 6 .

A request to fund a party account is sent to the ledger API 706 at 718, and a response message is returned at 720 indicating that the party account has been funded. According to various embodiments, the request sent at 718 may be used to assign the asset to the wallet identified by the issuer party JWT returned at 712.

At 722, one or more records of the asset or assets are created in the database system. For example, one or more records discussed with respect to the database system 300 shown in FIG. 3 may be created.

FIG. 12 illustrates an example of as messaging procedure 1200 for creating an account, performed in accordance with one or more embodiments. According to various embodiments, the messaging procedure 1200 may be used in conjunction with one or more techniques or mechanisms described herein, such as for example to create an account that may be used to issue or purchase tokens.

An account creation request is sent from an entity 1102 at 1206. According to various embodiments, the entity 1102 may be any suitable entity within the database system. For example, the entity 1102 may be a computing device authenticated as a user or organization having a database system account. The account creation request may include information identifying and authenticating the entity associated with the request.

At 1208, upon receiving a request to purchase a token, the database system may authenticate the party associated with the request to the wallet API 704. The wallet API 704 may respond by providing an account JWT at 1210, configured as discussed with respect to the methods 700 and 1100 shown in FIGS. 7 and 11 .

A request user grant token is requested at 1212 and returned at 1214. According to various embodiments, the request user grant token may be used by the database system 702 to uniquely identify a new user being created. The new user may be associated with a new wallet created based on interacting with the wallet API 704, and the user's information recorded in the ledger API 706.

A request to create a party is sent to the wallet API at 1216, and the party's ID is returned at 1218. The party's ID is stamped on the entity's database system account at 1228. According to various embodiments, the party ID may uniquely identify the party in the distributed trust ledger.

At 1220, a request to record the creation of the party account in the public trust ledger is sent to the ledger API 706. A confirmation that the party account was recorded is returned at 1222.

FIG. 13 illustrates an example of a procedure 1300 for communicating with a public trust ledger via a non-custodial wallet, performed in accordance with one or more embodiments. According to various embodiments, various procedures discussed herein are described in the context of a custodial wallet configuration, in which the database system maintains credentials associated with a wallet. However, any of these procedures may be adapted to a non-custodial configuration, as discussed with respect to the procedure 1300 shown in FIG. 13 .

An authentication process is performed at 1308. According to various embodiments, the authentication process may involve establishing a secure connection between the database system 1302 and a non-custodial wallet. The non-custodial wallet may be located, for instance, at a local or cloud computing location controlled by an organization or individual associated with a database system account. The authentication process may involve the owner of the database system account connecting the wallet to the database system as a decentralized application.

A request is transmitted from the wallet API 1304 (or the owner of the database system) to the database system 1302 at 1310. According to various embodiments, the request may be any request in the context of techniques and mechanisms described herein. For instance, the request may involve configurating a smart contract for deployment on the blockchain, or a request to mint a token for a smart contract deployed on the blockchain.

A blockchain transaction or other instruction is sent from the database system 1302 to the wallet API 1304 at 1312. According to various embodiments, the transaction may involve deploying a smart contract to the blockchain, minting a token, or some other blockchain-related action.

At 1314, the owner of the database system account signs the transaction and records it to the blockchain. At that point, the transaction is executed. For example, a smart contract may be deployed, a token may be minted, or a token may be transferred.

The owner of the database system account may send a response to the database system at 1316 indicating that the transaction has been recorded. Moreover, the database system may directly observe the blockchain at 1316. Collectively this information may be used to update one or more records at the database system to reflect transactions that have occurred in the blockchain.

FIG. 14 illustrates one example of a method 1400 of controlling actions related to a smart contract, configured in accordance with one or more embodiments. The method 1400 may be used to determine whether to permit an action such as minting a new token with a smart contract or transferring a token from one party to another.

According to various embodiments, the method 1400 may be implemented by one or more computing devices within a computing system such as the on-demand database systems discussed with respect to FIG. 16 , FIG. 17A, FIG. 17B, and FIG. 18 . However, as discussed below, the method 1400 may be used to control access to such actions even when they are initiated outside the on-demand database system.

A request to perform an action related to a smart contract is received at 1402. According to various embodiments, any of various types of actions may be requested. Such actions may include, but are not limited to: minting a new token, transferring a token from one party to another, changing a mutable value associated with a token, changing a role associated with the smart contract, or any other suitable type of action.

In some implementations, the request may be received directly at the database system. For example, as discussed herein, the database system may act on behalf of parties to perform actions with respect to the blockchain. The database system may maintain, for instance, a private key associated with an account within a blockchain, and then use a private key to act on the party's behalf.

In some embodiments, the request may instead be received from outside the database system. For example, the database system may provide an application procedure interface (API) for responding to action authorization requests. Then, a smart contract that includes an action control function may be deployed to the blockchain. When the smart contract is executed and receives a request to perform an action, the action control function may first communicate with the API as an oracle outside the smart contract to provide to the smart contract an indicate as to whether the action is permitted.

One or more wallets, wallet roles, database system accounts, and/or tokens associated with the request are identified at 1404. In some implementations, such wallets, roles, accounts, and/or tokens may be known to the database system. The database system may know of such information either because the smart contracts and tokens were created by the database system. Alternatively, the database system may know of such information because such information was previously imported into the database system.

In some configurations, such wallets, roles, accounts, and/or tokens may not be known to the database system. In such a situation, such information may be retrieved directly from the blockchain, via operations such as those discussed with respect to the method 1300 shown in FIG. 13 .

Risk assessment information associated with the request is identified at 1406. In some embodiments, risk assessment information may be identified by consulting one or more third-party security information providers. Alternatively, such information may be identified directly by the database system itself.

According to various embodiments, any or all of a variety of information may be identified related to security, legality, and/or risk. For example, a wallet involved in a requested transaction may have been funded by a bank account that has been identified as being associated with fraudulent activity. As another example, an account associated with a selected transaction may be identified as having been associated with wash trading, where a token is sold from one account associated with a party to a different account associated with the same party at an exorbitant price. As yet another example, an account associated with a selected transaction may have been identified as attempting to circumvent a restriction such as a maximum number of tokens of a particular type owned by a particular owner through establishing multiple wallets and/or related accounts.

One or more security restrictions associated with the request are identified at 1408. According to various embodiments, any or all of a variety of security restrictions may be applicable. For example, the database system may impose one or more restrictions based on a legal regime outside the database system. As another example, the database system may impose one or more restrictions to all transactions performed with smart contracts controlled by the database system. As yet another example, an account related to the transaction, such as the owner of the collection of NFTs minted by the smart contract, may impose one or more security restrictions on transactions pertaining to the minted NFTs.

According to various embodiments, such security restrictions may be stored within the database system, and may be specified at the level of the database system as a whole, an individual entity within the database system, a smart contract, a token, or any other suitable unit of analysis.

According to various embodiments, security restrictions may take potentially many forms. Such forms may include, but are not limited to: a maximum price associated with a token transfer, a maximum number of tokens that may be held by a single account, one or more characteristics of accounts that may not purchase or sell tokens, a maximum risk score associated with an account, any other suitable restrictions, or combinations thereof.

A determination is made at 1410 as to whether the requested action is permitted under the security restrictions, based on the risk assessment information. In some implementations, the determination may be made by applying the security restrictions identified at 1408 to the requested action in view of the risk assessment information identified at 1406.

If the action is permitted, then the requested action is performed at 1412. A response message is transmitted at 1414. In some embodiments, the requested action may be performed in the blockchain by the database system itself, as discussed herein. Alternatively, if the database system exposes an API that serves as an oracle for transactions conducted on the blockchain outside the database system, then the database system may transmit a response message to the smart contract that transmitted the request received at 1402.

According to various embodiments, the method 1400 may be used to allow the owner of a smart contract to pause and/or resume trading of tokens minted via the smart contract. For example, the owner of the smart contract may implement a rule pausing trading of a designated token or set of tokens. For example, the owner of the smart contract may implement a rule pausing trading to or from a designated wallet address. For example, the owner of the smart contract may implement a rule pausing trading of all tokens minted by a designated smart contract.

FIG. 15 illustrates a diagram of a public trust ledger synthetic party 1500, configured in accordance with one or more embodiments. The public trust ledger synthetic party 1500 includes an owner party 1502, one or more subordinate parties 1504, one or more public trust ledger synthetic party permission rules 1514, and a smart contract template 1520. The owner party 1502 includes an database system owner account ID 1506, one or more public trust ledger synthetic party keys 1508, and a public trust ledger owner ID 1522. The subordinate parties 1504 include the database system account ID A 1510 through the database system account ID N 1512. The public trust ledger synthetic party permission rules 1514 include the rule 1 1516 through the rule K 1518.

According to various embodiments, the public trust ledger synthetic party may be created in a database system. The public trust ledger synthetic party may be used to allow more than one entity to perform actions related to a smart contract template or instances of a smart contract template. For example, the entity that owns the public trust ledger synthetic party may perform actions such as minting tokens using the smart contract template 1520 and burning tokens created using the smart contract template 1520. The entity that owns the public trust ledger synthetic party may also delegate various types of actions to one or more of the subordinate parties. For instance, a subordinate party may be authorized to transfer a token between two parties.

In some implementations, the owner party 1502 may be the party that exercises ultimate authority over the smart contract template or contract templates owned by the synthetic party 1500. For instance, the owner party 1502 may be the party that created or instigated the creation of the public trust ledger synthetic party and/or the smart contract template 1520.

According to various embodiments, the owner party 1502 may be identified within the database system by the database system account owner account ID 1506. For example, the owner party 1502 may be an entity such as an organization or individual accessing on-demand computer services via the on-demand database system.

According to various embodiments, the owner party 1502 may be identified on the public trust ledger by the public trust ledger owner id 1522. For instance, the public trust ledger owner id 1522 may be a unique identifier associated with a specific public trust ledger outside the database system. The public trust ledger may be the external location on which the smart contract template 1520 is recorded and on which transactions related to one or more tokens minted based on the smart contract template 1520 are stored.

In some implementations, the database system may manage interactions with the public trust ledger related to the smart contract template 1520 and/or instances of the smart contract template 1520 using the public trust ledger synthetic party keys 1522. The public trust ledger synthetic party keys 1522 may include one or more private keys for authenticating public trust ledger transactions by the public trust ledger owner ID 1522. Typically, a public trust ledger allows for only a single owner, designated by a public trust ledger account ID, for a particular smart contract. Accordingly, to facilitate transactions with the public trust ledger, the public trust ledger synthetic party keys 1508 may be stored within the database system.

In some implementations, the public trust ledger synthetic party keys 1508 may be generated within the public trust ledger by the owner party and then provided to the database system for storage. Alternatively, the database system may generate the public trust ledger synthetic party keys 1508 on behalf of the owner party. In either case, the owner party may be able to request the public trust ledger synthetic party keys 1508 from the database system and/or change the public trust ledger synthetic party keys within the public trust ledger. In particular embodiments, the public trust ledger synthetic party keys 1508 may be stored within a public trust ledger wallet, which in turn may be stored in the database system.

According to various embodiments, the subordinate parties 1504 include one or more database system account IDs associated with accounts within the database system. Each database system account may correspond with an individual or an organization such as a company accessing on-demand computing services via the database system. Subordinate parties may be identified by the creator of the public trust ledger synthetic party 1500.

According to various embodiments, the smart contract template 1520 may be any smart contract created in accordance with techniques and mechanisms described herein. The smart contract template may specify one or more rules for creating fungible and/or non-fungible tokens. Such tokens may then be embedded in one or more instances of the smart contract template 1520. Then, the one or more instances of the smart contract template 1520 may be used to perform actions such as transferring the tokens between parties, with those transactions being recorded on a public trust ledger. Although only a single smart contract template 1520 is shown in FIG. 15 , in some implementations a public trust ledger synthetic party may be associated with more than one smart contract template.

In some implementations, the public trust ledger synthetic party permission rules 1514 include one or more rules related to actions that subordinate parties may take with respect to the smart contract template 1520 and/or instances of the smart contract template 1520. For example, a rule may identify one or more subordinate parties who are authorized to transfer a token minted based on the smart contract template 1520 to another party. As another example, a rule may identify one or more subordinate parties who are authorized to update a value stored within an instance of the smart contract template 1520.

In particular embodiments, a public trust ledger synthetic party may support the creation of jointly managed assets. For example, a set of companies such as an airline group may collaborate to create a joint loyalty point system in which points may be used among the different companies within the group.

According to various embodiments, FIG. 15 illustrates an implementation in which multiple parties may be authorized to perform blockchain-related interactions for a single smart contract via a database system. Alternatively, or additionally, one or more of the roles represented in FIG. 15 may be implemented in the blockchain itself. For example, a smart contract may be configured to include various roles associated with various types of authorized actions, and various blockchain account identifiers may be assigned those various roles within the smart contract itself. In such a configuration, it may be the case that party keys 1508 may not be stored within the database system. Instead, the owner party 1502 may interact with the smart contract template 1520 via one or more non-custodial wallets. Further, one or more of the subordinate parties 1510-1512 may interact with the smart contract template 1520 via a respective non-custodial wallet configuration.

FIG. 16 shows a block diagram of an example of an environment 1610 that includes an on-demand database service configured in accordance with some implementations. Environment 1610 may include user systems 1612, network 1614, database system 1616, processor system 1617, application platform 1618, network interface 1620, tenant data storage 1622, tenant data 1623, system data storage 1624, system data 1625, program code 1626, process space 1628, User Interface (UI) 1630, Application Program Interface (API) 1632, PL/SOQL 1634, save routines 1636, application setup mechanism 1638, application servers 1650-1 through 1650-N, system process space 1652, tenant process spaces 1654, tenant management process space 1660, tenant storage space 1662, user storage 1664, and application metadata 1666. Some of such devices may be implemented using hardware or a combination of hardware and software and may be implemented on the same physical device or on different devices. Thus, terms such as “data processing apparatus,” “machine,” “server” and “device” as used herein are not limited to a single hardware device, but rather include any hardware and software configured to provide the described functionality.

An on-demand database service, implemented using system 1616, may be managed by a database service provider. Some services may store information from one or more tenants into tables of a common database image to form a multi-tenant database system (MTS). As used herein, each MTS could include one or more logically and/or physically connected servers distributed locally or across one or more geographic locations. Databases described herein may be implemented as single databases, distributed databases, collections of distributed databases, or any other suitable database system. A database image may include one or more database objects. A relational database management system (RDBMS) or a similar system may execute storage and retrieval of information against these objects.

In some implementations, the application platform 1618 may be a framework that allows the creation, management, and execution of applications in system 1616. Such applications may be developed by the database service provider or by users or third-party application developers accessing the service. Application platform 1618 includes an application setup mechanism 1638 that supports application developers' creation and management of applications, which may be saved as metadata into tenant data storage 1622 by save routines 1636 for execution by subscribers as one or more tenant process spaces 1654 managed by tenant management process 1660 for example. Invocations to such applications may be coded using PL/SOQL 1634 that provides a programming language style interface extension to API 1632. A detailed description of some PL/SOQL language implementations is discussed in commonly assigned U.S. Pat. No. 7,730,478, titled METHOD AND SYSTEM FOR ALLOWING ACCESS TO DEVELOPED APPLICATIONS VIA A MULTI-TENANT ON-DEMAND DATABASE SERVICE, by Craig Weissman, issued on Jun. 1, 2010, and hereby incorporated by reference in its entirety and for all purposes. Invocations to applications may be detected by one or more system processes. Such system processes may manage retrieval of application metadata 1666 for a subscriber making such an invocation. Such system processes may also manage execution of application metadata 1666 as an application in a virtual machine.

In some implementations, each application server 1650 may handle requests for any user associated with any organization. A load balancing function (e.g., an F5 Big-IP load balancer) may distribute requests to the application servers 1650 based on an algorithm such as least-connections, round robin, observed response time, etc. Each application server 1650 may be configured to communicate with tenant data storage 1622 and the tenant data 1623 therein, and system data storage 1624 and the system data 1625 therein to serve requests of user systems 1612. The tenant data 1623 may be divided into individual tenant storage spaces 1662, which can be either a physical arrangement and/or a logical arrangement of data. Within each tenant storage space 1662, user storage 1664 and application metadata 1666 may be similarly allocated for each user. For example, a copy of a user's most recently used (MRU) items might be stored to user storage 1664. Similarly, a copy of MRU items for an entire tenant organization may be stored to tenant storage space 1662. A UI 1630 provides a user interface and an API 1632 provides an application programming interface to system 1616 resident processes to users and/or developers at user systems 1612.

System 1616 may implement a web-based digital asset management system. For example, in some implementations, system 1616 may include application servers configured to implement and execute software applications related to creation, managing, and transferring digital assets. The application servers may be configured to provide related data, code, forms, web pages and other information to and from user systems 1612. Additionally, the application servers may be configured to store information to, and retrieve information from a database system. Such information may include related data, objects, and/or Webpage content. With a multi-tenant system, data for multiple tenants may be stored in the same physical database object in tenant data storage 1622, however, tenant data may be arranged in the storage medium(s) of tenant data storage 1622 so that data of one tenant is kept logically separate from that of other tenants. In such a scheme, one tenant may not access another tenant's data, unless such data is expressly shared.

Several elements in the system shown in FIG. 16 include conventional, well-known elements that are explained only briefly here. For example, user system 1612 may include processor system 1612A, memory system 1612B, input system 1612C, and output system 1612D. A user system 1612 may be implemented as any computing device(s) or other data processing apparatus such as a mobile phone, laptop computer, tablet, desktop computer, or network of computing devices. User system 12 may run an internet browser allowing a user (e.g., a subscriber of an MTS) of user system 1612 to access, process and view information, pages and applications available from system 1616 over network 1614. Network 1614 may be any network or combination of networks of devices that communicate with one another, such as any one or any combination of a LAN (local area network), WAN (wide area network), wireless network, or other appropriate configuration.

The users of user systems 1612 may differ in their respective capacities, and the capacity of a particular user system 1612 to access information may be determined at least in part by “permissions” of the particular user system 1612. As discussed herein, permissions generally govern access to computing resources such as data objects, components, and other entities of a computing system, such as a digital asset management system, a social networking system, and/or a CRM database system. “Permission sets” generally refer to groups of permissions that may be assigned to users of such a computing environment. For instance, the assignments of users and permission sets may be stored in one or more databases of System 1616. Thus, users may receive permission to access certain resources. A permission server in an on-demand database service environment can store criteria data regarding the types of users and permission sets to assign to each other. For example, a computing device can provide to the server data indicating an attribute of a user (e.g., geographic location, industry, role, level of experience, etc.) and particular permissions to be assigned to the users fitting the attributes. Permission sets meeting the criteria may be selected and assigned to the users. Moreover, permissions may appear in multiple permission sets. In this way, the users can gain access to the components of a system.

In some an on-demand database service environments, an Application Programming Interface (API) may be configured to expose a collection of permissions and their assignments to users through appropriate network-based services and architectures, for instance, using Simple Object Access Protocol (SOAP) Web Service and Representational State Transfer (REST) APIs.

In some implementations, a permission set may be presented to an administrator as a container of permissions. However, each permission in such a permission set may reside in a separate API object exposed in a shared API that has a child-parent relationship with the same permission set object. This allows a given permission set to scale to millions of permissions for a user while allowing a developer to take advantage of joins across the API objects to query, insert, update, and delete any permission across the millions of possible choices. This makes the API highly scalable, reliable, and efficient for developers to use.

In some implementations, a permission set API constructed using the techniques disclosed herein can provide scalable, reliable, and efficient mechanisms for a developer to create tools that manage a user's permissions across various sets of access controls and across types of users. Administrators who use this tooling can effectively reduce their time managing a user's rights, integrate with external systems, and report on rights for auditing and troubleshooting purposes. By way of example, different users may have different capabilities with regard to accessing and modifying application and database information, depending on a user's security or permission level, also called authorization. In systems with a hierarchical role model, users at one permission level may have access to applications, data, and database information accessible by a lower permission level user, but may not have access to certain applications, database information, and data accessible by a user at a higher permission level.

As discussed above, system 1616 may provide on-demand database service to user systems 1612 using an MTS arrangement. By way of example, one tenant organization may be a company that employs a sales force where each salesperson uses system 1616 to manage their sales process. Thus, a user in such an organization may maintain contact data, leads data, customer follow-up data, performance data, goals and progress data, etc., all applicable to that user's personal sales process (e.g., in tenant data storage 1622). In this arrangement, a user may manage his or her sales efforts and cycles from a variety of devices, since relevant data and applications to interact with (e.g., access, view, modify, report, transmit, calculate, etc.) such data may be maintained and accessed by any user system 1612 having network access.

When implemented in an MTS arrangement, system 1616 may separate and share data between users and at the organization-level in a variety of manners. For example, for certain types of data each user's data might be separate from other users' data regardless of the organization employing such users. Other data may be organization-wide data, which is shared or accessible by several users or potentially all users form a given tenant organization. Thus, some data structures managed by system 1616 may be allocated at the tenant level while other data structures might be managed at the user level. Because an MTS might support multiple tenants including possible competitors, the MTS may have security protocols that keep data, applications, and application use separate. In addition to user-specific data and tenant-specific data, system 1616 may also maintain system-level data usable by multiple tenants or other data. Such system-level data may include industry reports, news, postings, and the like that are sharable between tenant organizations.

In some implementations, user systems 1612 may be client systems communicating with application servers 1650 to request and update system-level and tenant-level data from system 1616. By way of example, user systems 1612 may send one or more queries requesting data of a database maintained in tenant data storage 1622 and/or system data storage 1624. An application server 1650 of system 1616 may automatically generate one or more SQL statements (e.g., one or more SQL queries) that are designed to access the requested data. System data storage 1624 may generate query plans to access the requested data from the database.

The database systems described herein may be used for a variety of database applications. By way of example, each database can generally be viewed as a collection of objects, such as a set of logical tables, containing data fitted into predefined categories. A “table” is one representation of a data object, and may be used herein to simplify the conceptual description of objects and custom objects according to some implementations. It should be understood that “table” and “object” may be used interchangeably herein. Each table generally contains one or more data categories logically arranged as columns or fields in a viewable schema. Each row or record of a table contains an instance of data for each category defined by the fields. For example, a CRM database may include a table that describes a customer with fields for basic contact information such as name, address, phone number, fax number, etc. Another table might describe a purchase order, including fields for information such as customer, product, sale price, date, etc. In some multi-tenant database systems, standard entity tables might be provided for use by all tenants. In some implementations, entity tables may store information related to smart contracts and/or digital asset management. For CRM database applications, such standard entities might include tables for case, account, contact, lead, and opportunity data objects, each containing pre-defined fields. It should be understood that the word “entity” may also be used interchangeably herein with “object” and “table”.

In some implementations, tenants may be allowed to create and store custom objects, or they may be allowed to customize standard entities or objects, for example by creating custom fields for standard objects, including custom index fields. Commonly assigned U.S. Pat. No. 7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASE SYSTEM, by Weissman et al., issued on Aug. 17, 2010, and hereby incorporated by reference in its entirety and for all purposes, teaches systems and methods for creating custom objects as well as customizing standard objects in an MTS. In certain implementations, for example, all custom entity data rows may be stored in a single multi-tenant physical table, which may contain multiple logical tables per organization. It may be transparent to customers that their multiple “tables” are in fact stored in one large table or that their data may be stored in the same table as the data of other customers.

FIG. 17A shows a system diagram of an example of architectural components of an on-demand database service environment 1700, configured in accordance with some implementations. A client machine located in the cloud 1704 may communicate with the on-demand database service environment via one or more edge routers 1708 and 1712. A client machine may include any of the examples of user systems 812 described above. The edge routers 1708 and 1712 may communicate with one or more core switches 1720 and 1724 via firewall 1716. The core switches may communicate with a load balancer 1728, which may distribute server load over different pods, such as the pods 1740 and 1744 by communication via pod switches 1732 and 1736. The pods 1740 and 1744, which may each include one or more servers and/or other computing resources, may perform data processing and other operations used to provide on-demand services. Components of the environment may communicate with a database storage 1756 via a database firewall 1748 and a database switch 1752.

Accessing an on-demand database service environment may involve communications transmitted among a variety of different components. The environment 1700 is a simplified representation of an actual on-demand database service environment. For example, some implementations of an on-demand database service environment may include anywhere from one to many devices of each type. Additionally, an on-demand database service environment need not include each device shown, or may include additional devices not shown, in FIGS. 17A and 17B.

The cloud 1704 refers to any suitable data network or combination of data networks, which may include the Internet. Client machines located in the cloud 1704 may communicate with the on-demand database service environment 1700 to access services provided by the on-demand database service environment 1700. By way of example, client machines may access the on-demand database service environment 1700 to retrieve, store, edit, and/or process public trust ledger and/or digital asset creation, management, and transfer information.

In some implementations, the edge routers 1708 and 1712 route packets between the cloud 1704 and other components of the on-demand database service environment 1700. The edge routers 1708 and 1712 may employ the Border Gateway Protocol (BGP). The edge routers 1708 and 1712 may maintain a table of IP networks or ‘prefixes’, which designate network reachability among autonomous systems on the internet.

In one or more implementations, the firewall 1716 may protect the inner components of the environment 1700 from internet traffic. The firewall 1716 may block, permit, or deny access to the inner components of the on-demand database service environment 1700 based upon a set of rules and/or other criteria. The firewall 1716 may act as one or more of a packet filter, an application gateway, a stateful filter, a proxy server, or any other type of firewall.

In some implementations, the core switches 1720 and 1724 may be high-capacity switches that transfer packets within the environment 1700. The core switches 1720 and 1724 may be configured as network bridges that quickly route data between different components within the on-demand database service environment. The use of two or more core switches 1720 and 1724 may provide redundancy and/or reduced latency.

In some implementations, communication between the pods 1740 and 1744 may be conducted via the pod switches 1732 and 1736. The pod switches 1732 and 1736 may facilitate communication between the pods 1740 and 1744 and client machines, for example via core switches 1720 and 1724. Also or alternatively, the pod switches 1732 and 1736 may facilitate communication between the pods 1740 and 1744 and the database storage 1756. The load balancer 1728 may distribute workload between the pods, which may assist in improving the use of resources, increasing throughput, reducing response times, and/or reducing overhead. The load balancer 1728 may include multilayer switches to analyze and forward traffic.

In some implementations, access to the database storage 1756 may be guarded by a database firewall 1748, which may act as a computer application firewall operating at the database application layer of a protocol stack. The database firewall 1748 may protect the database storage 1756 from application attacks such as structure query language (SQL) injection, database rootkits, and unauthorized information disclosure. The database firewall 1748 may include a host using one or more forms of reverse proxy services to proxy traffic before passing it to a gateway router and/or may inspect the contents of database traffic and block certain content or database requests. The database firewall 1748 may work on the SQL application level atop the TCP/IP stack, managing applications' connection to the database or SQL management interfaces as well as intercepting and enforcing packets traveling to or from a database network or application interface.

In some implementations, the database storage 1756 may be an on-demand database system shared by many different organizations. The on-demand database service may employ a single-tenant approach, a multi-tenant approach, a virtualized approach, or any other type of database approach. Communication with the database storage 1756 may be conducted via the database switch 1752. The database storage 1756 may include various software components for handling database queries. Accordingly, the database switch 1752 may direct database queries transmitted by other components of the environment (e.g., the pods 1740 and 1744) to the correct components within the database storage 1756.

FIG. 17B shows a system diagram further illustrating an example of architectural components of an on-demand database service environment, in accordance with some implementations. The pod 1744 may be used to render services to user(s) of the on-demand database service environment 1700. The pod 1744 may include one or more content batch servers 1764, content search servers 1768, query servers 1782, file servers 1786, access control system (ACS) servers 1780, batch servers 1784, and app servers 1788. Also, the pod 1744 may include database instances 1790, quick file systems (QFS) 1792, and indexers 1794. Some or all communication between the servers in the pod 1744 may be transmitted via the switch 1736.

In some implementations, the app servers 1788 may include a framework dedicated to the execution of procedures (e.g., programs, routines, scripts) for supporting the construction of applications provided by the on-demand database service environment 1700 via the pod 1744. One or more instances of the app server 1788 may be configured to execute all or a portion of the operations of the services described herein.

In some implementations, as discussed above, the pod 1744 may include one or more database instances 1790. A database instance 1790 may be configured as an MTS in which different organizations share access to the same database, using the techniques described above. Database information may be transmitted to the indexer 1794, which may provide an index of information available in the database 1790 to file servers 1786. The QFS 1792 or other suitable filesystem may serve as a rapid-access file system for storing and accessing information available within the pod 1744. The QFS 1792 may support volume management capabilities, allowing many disks to be grouped together into a file system. The QFS 1792 may communicate with the database instances 1790, content search servers 1768 and/or indexers 1794 to identify, retrieve, move, and/or update data stored in the network file systems (NFS) 1796 and/or other storage systems.

In some implementations, one or more query servers 1782 may communicate with the NFS 1796 to retrieve and/or update information stored outside of the pod 1744. The NFS 1796 may allow servers located in the pod 1744 to access information over a network in a manner similar to how local storage is accessed. Queries from the query servers 1722 may be transmitted to the NFS 1796 via the load balancer 1728, which may distribute resource requests over various resources available in the on-demand database service environment 1700. The NFS 1796 may also communicate with the QFS 1792 to update the information stored on the NFS 1796 and/or to provide information to the QFS 1792 for use by servers located within the pod 1744.

In some implementations, the content batch servers 1764 may handle requests internal to the pod 1744. These requests may be long-running and/or not tied to a particular customer, such as requests related to log mining, cleanup work, and maintenance tasks. The content search servers 1768 may provide query and indexer functions such as functions allowing users to search through content stored in the on-demand database service environment 1700. The file servers 1786 may manage requests for information stored in the file storage 1798, which may store information such as documents, images, basic large objects (BLOBS), etc. The query servers 1782 may be used to retrieve information from one or more file systems. For example, the query system 1782 may receive requests for information from the app servers 1788 and then transmit information queries to the NFS 1796 located outside the pod 1744. The ACS servers 1780 may control access to data, hardware resources, or software resources called upon to render services provided by the pod 1744. The batch servers 1784 may process batch jobs, which are used to run tasks at specified times. Thus, the batch servers 1784 may transmit instructions to other servers, such as the app servers 1788, to trigger the batch jobs.

While some of the disclosed implementations may be described with reference to a system having an application server providing a front end for an on-demand database service capable of supporting multiple tenants, the disclosed implementations are not limited to multi-tenant databases nor deployment on application servers. Some implementations may be practiced using various database architectures such as ORACLE®, DB2® by IBM and the like without departing from the scope of present disclosure.

FIG. 18 illustrates one example of a computing device, configured in accordance with one or more embodiments. According to various embodiments, a system 1800 suitable for implementing embodiments described herein includes a processor 1801, a memory module 1803, a storage device 1805, an interface 1811, and a bus 1815 (e.g., a PCI bus or other interconnection fabric.) System 1800 may operate as variety of devices such as an application server, a database server, or any other device or service described herein. Although a particular configuration is described, a variety of alternative configurations are possible. The processor 1801 may perform operations such as those described herein. Instructions for performing such operations may be embodied in the memory 1803, on one or more non-transitory computer readable media, or on some other storage device. Various specially configured devices can also be used in place of or in addition to the processor 1801. The interface 1811 may be configured to send and receive data packets over a network. Examples of supported interfaces include, but are not limited to: Ethernet, fast Ethernet, Gigabit Ethernet, frame relay, cable, digital subscriber line (DSL), token ring, Asynchronous Transfer Mode (ATM), High-Speed Serial Interface (HSSI), and Fiber Distributed Data Interface (FDDI). These interfaces may include ports appropriate for communication with the appropriate media. They may also include an independent processor and/or volatile RAM. A computer system or computing device may include or communicate with a monitor, printer, or other suitable display for providing any of the results mentioned herein to a user.

FIG. 19 illustrates an example of a method 1900 for deploying a smart contract configured to support multi-signature action authorization, performed in accordance with one or more embodiments. The method 1900 may be performed by any suitable computing device or devices, such as one or more computing devices within an on-demand database system configured to provide computing services via the internet.

A request to generate a smart contract is received at a database system at 1902. According to various embodiments, the request may be generated by any of various parties. For example, the request may be generated by a user associated with an organization accessing computing services via the database system. As another example, the request may be generated by an administrator of the database system itself.

One or more configuration parameters for generating the smart contract are determined at 1904. A blockchain on which to deploy the smart contract is identified at 1906. As discussed throughout this application, the database system may be used to deploy and manage smart contracts to any of a variety of blockchains. Examples of such blockchains may include, but are not limited to: Ethereum, Solana, Cardano, and Avalanche. Configuration parameters, may be specified based on user input, predetermined configuration values, automatically determined configuration values, or a combination thereof. Examples of such configuration parameters may include, but are not limited to: a template for creating a smart contract, one or more functions to include in a smart contract, and a blockchain on which to deploy a smart contract.

A multi-signature policy is determined for the smart contract at 1908. According to various embodiments, the multi-signature policy may identify one or more user roles and/or user accounts whose signatures are needed to execute a designated action related to the smart contract, as well as the number of signatures required. Additional details regarding the determination of a multi-signature policy are discussed with respect to the method 2000 shown in FIG. 20 .

A smart contract multi-signature verification function for the smart contract is determined at 1910. In some embodiments, the smart contract multi-signature verification function is a function included within the smart contract that is configured to enforce and/or update the smart contract multi-signature policy. All or a portion of such a function may be provided based on user input. Alternatively, or additionally, all or a portion of such a function may be predetermined and stored within the database system, from where it may be retrieved when generating a new smart contract configured for multi-signature policy enforcement. Logic for enforcing and/or updating a smart contract multi-signature policy as executed by a smart contract is discussed in additional detail with respect to the method 2300 shown in FIG. 23 .

A smart contract is generated at 1912. In some embodiments, the smart contract may be generated based on the one or more configuration parameters determined at 1904, the multi-signature policy determined at 1908, and the smart contract multi-signature verification function determined at 1910. An example of a smart contract generated in accordance with one or more embodiments is shown in FIG. 5 .

One or more signature requests are sent at 1914 in accordance with the smart contract multi-signature policy. According to various embodiments, the one or more signature requests may be sent to user accounts associated with user roles specified in the multi-signature policy as needing to sign some or all of the actions related to the smart contract before such actions are executed by the smart contract.

A determination is made at 1916 as to whether the smart contract complies with the multi-signature policy. In some embodiments, the determination may be made by comparing the number, one or more roles, and/or one or more accounts associated with the signatures with the multi-signature policy. Additional details regarding the transmission, receipt, and evaluation signature requests are discussed with respect to the method 2100 shown in FIG. 21 , and particularly with respect to operations 2108 through 2118.

When it is determined that the smart contract complies with the multi-signature policy, then at 1918 the smart contract is deployed to the blockchain. According to various embodiments, deploying the smart contract to the blockchain may involve transmitting a request from the database system to a node configured to store information on the blockchain. An example of such a configuration is shown in FIG. 2 , while an example of the passage of messages between the database system and the blockchain to perform such operations is shown in FIG. 4 . As part of the deployment of the smart contract to the identified blockchain, the multi-signature policy itself may be stored on the blockchain.

The database system is updated at 1920. According to various embodiments, the database system may be updated to include one or more entries related to the smart contract, the multi-signature policy, any received signatures, and/or other information identified or determined in the course of performing the method 1900. Additional details regarding the types of database entries that may be created and/or updated are shown in the database architecture diagram 300 in FIG. 3 .

FIG. 20 illustrates an example of a method for configuring a smart contract multi-signature policy, performed in accordance with one or more embodiments. The method 2000 may be performed by any suitable computing device or devices, such as one or more computing devices within an on-demand database system configured to provide computing services via the internet.

A request to configure a smart contract multi-signature policy for a smart contract is received at 2002. In some embodiments, the request may be generated automatically, for instance when the smart contract is created, as discussed with respect to operation 1908 in the method 1900 shown in FIG. 19 . Alternatively, or additionally, a request to configure a smart contract multi-signature policy may be generated manually. For instance, an administrator may request to configure a smart contract multi-signature policy.

In some embodiments, the configuration request may apply to a single smart contract. Alternatively, a configuration request may result in configuring a policy that applies to multiple smart contracts, for instance smart contracts of a particular type or class.

A smart contract action is identified for multi-signature authorization at 2004. In some embodiments, the smart contract action may be identified based on user input. Alternatively, or additionally, the system may automatically identify particular smart contract actions for multi-signature authorization, for instance to ensure heightened security for particular types of actions and/or smart contracts.

According to various embodiments, any of a variety of types of smart contract actions may be configured to require multi-signature authorization prior to performance. Examples of such actions may include, but are not limited to: minting tokens, minting a designated number of tokens, changing a price associate with a token, changing a price beyond a designated threshold level, pausing transfer of one or more tokens, changing a role related to a smart contract, and/or any other relevant operations. As a particular example, any action exposed via a smart contract API, such as a custom function executed by a smart contract, may be configured for multi-signature authentication.

A role authorized to perform the smart contract action is identified at 2006. In some implementations, different actions related to a smart contract may be limited to being performed by accounts having particular roles. For example, an account that is assigned a deployment role but not a minting role may be authorized to perform an action to deploy a smart contract to a blockchain but not to perform an action to mint a token via the smart contract.

In some embodiments, a correspondence between roles and actions may be stored in the database system, for instance as discussed with respect to FIG. 3 . As shown in FIG. 3 , a crypto wallet 306 may be associated with various user roles that authorize particular accounts to perform particular actions associated with the wallet.

A number of signatures for authorizing the smart contract action is identified at 2008. In some embodiments, the number of signatures may be identified based on user input. Alternatively, or additionally, a default number of signatures may be provided for particular actions, such as minting tokens or deploying a smart contract.

In some embodiments, the number of signatures may indicating the number of accounts associated with the role identified at 2006 that need to sign a crypto transaction envelope that includes a change associated with the smart contract action before the smart contract action is performed on the blockchain. For example, in order to mint a token via a smart contract, the minting request may need to be signed by at least three accounts that are associated with roles providing the accounts with minting authority.

One or more mandatory signatures for authorizing the smart contract action are identified at 2010. In some embodiments, a mandatory signature may identify a particular wallet identifier, user identifier, and/or smart contract role for which a signature is required before performing the smart contract action. For example, an action such as minting a token may require three signatures by authorized minters, as well as a mandatory signature by an auditor, before the minting may be performed.

A determination is made at 2012 as to whether to configure an additional smart contract action for multi-signature authorization. In some embodiments, additional smart contract actions may be configured until a terminating condition is met. For example, user input indicating that smart contract action configuration is complete may be received. As another example, each action on a list of high-security actions may be analyzed until security permissions have been specified for each listed action.

When it is determined not to configure an additional smart contract action for multi-signature authorization, a smart contract multi-signature policy for the smart contract is stored at 2014. According to various embodiments, the smart contract multi-signature policy may identify one or more smart contract actions, roles, and/or signature requirements. For example, the smart contract multi-signature policy may include a number of entries. An entry may identify a smart contract action and a number of signatures associated with users authorized to perform that action that must be collected before the action may be performed. Alternatively, or additionally, the smart contract multi-signature policy may include one or more mandatory signatures associated with particular smart contract actions.

In particular embodiments, storing the smart contract multi-signature policy may involve transmitting an instruction to the blockchain. For instance, a smart contract may be executed to record the smart contract multi-signature policy on the blockchain so that the smart contract may ensure that the smart contract multi-signature policy is followed when the smart contract receives a request to perform an action. Additional details related to updating a multi-signature policy for a smart contract already deployed on the blockchain are discussed with respect to the method 2200 shown in FIG. 22 .

FIG. 21 illustrates an example of a method 2100 for executing a smart contract multi-signature policy, performed in accordance with one or more embodiments. The method 2100 may be performed by any suitable computing device or devices, such as one or more computing devices within an on-demand database system configured to provide computing services via the internet.

A request to perform one or more actions related to a smart contract is received at 2102. According to various embodiments, the request may be received via a communication interface at a database system. For instance, the database system may be configured to facilitate interactions with the blockchain on behalf of an entity.

According to various embodiments, various numbers of actions may be requested by various numbers of parties. Examples of requested actions may include, but are not limited to: minting tokens, minting a designated number of tokens, changing a price associate with a token, changing a price beyond a designated threshold level, pausing transfer of one or more tokens, changing a role related to a smart contract, and/or any other relevant operations. As a particular example, any action exposed via a smart contract API, such as a custom function executed by a smart contract, may be requested.

A determination is made at 2104 as to whether the smart contract is associated with an existing crypto transaction envelope. In some embodiments, as discussed with respect to operation 2106, the database system may be updated to identify such an association when such an envelope is created. By allowing the creation of a crypto transaction envelope only when one does not already exist, the system may ensure that two competing requests are not created at the same time, such as two different requests to update the same multi-signature policy. Accordingly, the determination made at operation 2104 may be made by accessing the database system using an identifier that uniquely identifies the smart contract.

In particular embodiments, some types of actions may be limited to a single crypto transaction envelope at a time, while other types of actions may not be limited in this way. For instance, administrative actions such as requests to update a multi-signature policy may be limited to a single crypto transaction envelope, while the system may allow other types of actions such as minting tokens to be performed concurrently. Accordingly, the determination made at operation 2104 may be specific to a particular type or types of crypto transaction envelope.

If it is determined that the smart contract is not associated with an existing administrative action envelope, then at 2106 a crypto transaction envelope is generated in accordance with a multi-signature policy for the smart contract. In some embodiments, the multi-signature policy may be retrieved from the database system using the smart contract identifier. Alternatively, the multi-signature policy may be retrieved from the blockchain.

According to various embodiments, any or all of a variety of information may be included in the crypto transaction envelope. For example, the crypto transaction envelope may identify a blockchain (e.g., via a chain ID), a smart contract (e.g., via a smart contract ID), a function to execute at the smart contract, one or more parameter values to supply to the function, and/or any other suitable information.

In some embodiments, the crypto transaction envelope may include a nonce value. As used herein, the term “nonce value” refers to any suitable value used to protect against replaying the same request to a smart contract. A nonce value may be generated randomly, sequentially, or in accordance with any suitable generation scheme. The nonce value may be recorded on the blockchain when it is received at an executed smart contract to ensure that subsequent requests that include the same nonce value will fail.

According to various embodiments, the information included in the crypto transaction envelope may be determined in one or more of a variety of ways. For example, information may be included with the request received at 2102. As another example, information may be identified based on predetermined configuration information. As another example, information may be provided interactively based on user input.

In some embodiments, when the crypto transaction envelope is created, a record of the creation may be stored in the database system. In this way, the system may ensure that two competing requests are not created at the same time.

Generating the crypto transaction envelope may involve operations such as generate a change list, determining an identifier associated with a smart contract and/or wallet, and storing one or more records in the database system.

An account assigned a role associated with the smart contract multi-signature policy is identified at 2108. According to various embodiments, identifying the account may involve determining one or more rules within the smart contract multi-signature policy governing actions such as the action or actions requested at 2102. For instance, if the action or actions requested at 2102 include both a request to mint one or more tokens and a request to change a transaction price associated with purchasing one or more tokens, then the crypto envelope may need to be signed by one or more accounts assigned roles authorizing the accounts to mint tokens, as well as signed by one or more accounts assigned roles authorizing the accounts to update a purchase price.

In some embodiments, accounts may be identified manually. For instance, a user may provide user input identifying an account with which to communicate to secure a signature. Alternatively, or additionally, accounts may be identified automatically. For instance, the database system may be queried to identify and then automatically select an account assigned a role for which a signature is required. In particular embodiments, when more than one action is requested, then when possible an account assigned roles authorized to sign for more than one action may be identified. For instance, an administrator may be authorized to both mint tokens and change a transaction price.

In particular embodiments, as discussed herein, one or more actions may be associated with one or more mandatory signatures. In such a situation, the account identified at 2108 may be a particular account specified by the smart contract multi-signature policy.

An item in the crypto transaction envelope is generated at 2110. In some embodiments, the item in the crypto transaction envelope may identify the account associated with the signature request. Alternatively, or additionally, the item may include information such as the smart contract function or functions associated with the requested action or actions, the parameter value or values to be supplied to the function or functions, the blockchain ID, and/or the smart contract ID. In this way, the signed item may be used to confirm that the signor approves the requested action.

A request to sign the crypto transaction envelope is transmitted to the account at 2112. According to various embodiments, the request may be transmitted via any suitable communication medium. Examples of suitable communication mediums may include, but are not limited to: email, instant messaging, text messaging, native application messaging, and social networking messaging. For instance, the database system may include a dedicated messaging application for transmitting messages between user accounts. The request may include or identify, for instance via a uniform resource indicator (URI), the crypto transaction envelope.

A determination is made at 2114 as to whether to identify an additional account for signing the crypto transaction envelope. In some embodiments, the determination made at 2114 may be made based at least in part on whether a sufficient number and type of signatures have been received and/or rejected based on the multi-signature policy. Additional accounts may be selected until a terminating condition is met. For example, a terminating condition may be the detection of a suitable number and type of signatures. As another example, a terminating condition may be the detection of the passage of a designated period of time without the detection of a suitable number and type of signatures. As yet another example, a terminating condition may be the detection of one or more rejections of the signature requests.

In some embodiments, the recipient of a request may sign the request. Signing the request may involve, for instance, applying a digital signature using the recipient's private key. Alternatively, the recipient of a request may reject the request. In such a situation, the request to perform the action may be rejected. That is, once a single recipient has rejected a request to sign, the requested actions may be rejected. Alternatively, some number or proportion of requests may need to be rejected before the requested actions are rejected.

According to various embodiments, non-response by the recipient may be handled in any of various ways. For example, non-response after a designated period of time may be treated as a rejection. As another example, non-response after a designated period of time may be treated as unavailability, and a different account may be requested to sign the crypto transaction envelope. The smart contract multi-signature authorization policy may include one or more rules for indicating a course of action to take in the event of non-response.

If it is determined not to identify an additional account for signing the crypto transaction envelope, then at 2116 a request is transmitted to the blockchain based on the crypto transaction envelope. The request may include any or all of a variety of information. For example, the request may identify a chain ID, a smart contract ID, a nonce value, one or more functions to execute on the smart contract, and/or one or more parameter values to supply to the one or more functions. As another example, the request may include one or more signed items. As discussed with respect to operation 2110, an item may include any or all of a variety of information. The signed item may include a hashed version of such information produced by applying the private key.

In particular embodiments, a request may be transmitted to the blockchain even if the requested action is rejected. A rejected request may include any or all of a variety of information. For example, the request may identify a chain ID, a smart contract ID, a nonce value, one or more functions to execute on the smart contract, and/or one or more parameter values to supply to the one or more functions. The transmission of a rejected request may allow the smart contract to record the nonce value on the blockchain to ensure that the request cannot be repeated, for instance if the multi-signature policy were to subsequently change.

The database system is updated at 2118. According to various embodiments, the database system may be updated to include any or all of the information determined as discussed with respect to the method 2100 shown in FIG. 21 . For instance, the database system may be updated to include information such as whether or not the crypto transaction envelope was signed in accordance with a multi-signature policy, when the request was transmitted to the blockchain at 2116, and the nature of the request transmitted to the crypto transaction envelope.

FIG. 22 illustrates an example of a method 2200 for updating a smart contract multi-signature policy, performed in accordance with one or more embodiments. The method 2200 may be performed by any suitable computing device or devices, such as one or more computing devices within an on-demand database system configured to provide computing services via the internet.

At 2202, a request is received at a database system to update a multi-signature policy for a smart contract. In some embodiments, the request may be generated by an owner associated with the smart contract. Alternatively, the request may be generated by an account having a different role, such as a security administrator. The request may include an identifier that uniquely identifies the smart contract.

An existing multi-signature policy for the smart contract is identified at 2204. In some implementations, an existing multi-signature policy for a smart contract may be stored in the database system. Alternatively, the existing multi-signature policy may also be retrieved from the blockchain where it is recorded. The existing multi-signature policy may be identified based on the smart contract identifier included with the request received at operation 2202.

An updated multi-signature policy for the smart contract is determined at 2206. According to various embodiments, the updated multi-signature policy may be determined as discussed with respect to the method 2000 shown in FIG. 20 .

One or more signature requests are sent at 2208 in accordance with the existing smart contract multi-signature policy. A determination is made at 2210 as to whether the request to update the multi-signature policy complies with the existing multi-signature policy for the smart contract.

If it is determined that the request to update the multi-signature policy does not comply with the existing multi-signature policy, then at 2212 an indication of a failed request to update the multi-signature policy is transmitted to the deployed smart contract. If instead it is determined that the request to update the multi-signature policy does comply with the existing multi-signature policy, then at 2214 the signed request to update the smart contract multi-signature policy is transmitted to the deployed smart contract. The database system is updated at 2216.

In some embodiments, when a multi-signature policy for a smart contract is successfully updated, the updated multi-signature policy may be stored on the blockchain itself. For instance, the current multi-signature policy for a smart contract may be the multi-signature policy most recently written to the blockchain via the updating process. In general, the process for securing one or more signatures, communicating information to the smart contract deployed on the blockchain, and updating the database system may be substantially similar to operations performed as part of the method 2100 shown in FIG. 21 .

FIG. 23 illustrates a method for performing an action at a smart contract, performed in accordance with one or more embodiments. The smart contract action method 2300 may be performed at a computing device configured to perform one or more blockchain-related operations such as executing smart contracts. For instance, the smart contract action method 2300 may be performed at the replica node 210 shown in FIG. 2 .

A request to execute a function at a smart contract is received at 2302. In some embodiments, the request may identify a function, one or more parameter values associated with the function, a nonce value, and/or one or more signatures. The request may be generated as discussed with respect to the method 2100 shown in FIG. 21 .

A smart contract multi-signature policy related to the execution of the function at the smart contract is identified at 2304. According to various embodiments, the multi-signature policy may be recorded on the blockchain. As discussed herein, when a smart contract is deployed, a multi-signature policy associated with the smart contract may be recorded on the blockchain. The multi-signature policy may be updated by recording an updated policy on the blockchain in association with the smart contract, as discussed with respect to the method 2200 shown in FIG. 22 . Accordingly, identifying the multi-signature policy for the smart contract may involve retrieving the multi-signature policy from the blockchain.

A determination is made at 2306 as to whether the request is associated with a nonce value that has not been previously recorded. According to various embodiments, as discussed with respect to the method 2100 shown in FIG. 21 , action requests generated in accordance with a multi-signature policy may be associated with a nonce value which may be recorded on the blockchain after the request is executed by the smart contract. Such a configuration may help to ensure that, for instance, an originally legitimate request may not be sent again by a malicious party as part of a “replay” attack.

If it is determined that the request is associated with a nonce value not previously recorded, then at 2308 a determination is made as to whether the request includes the correct chain ID and smart contract ID. In some embodiments, such information may be included with the request received at 2302. These values may be checked before performing the requested action at the smart contract by comparing them against the corresponding chain ID and smart contract ID stored on the blockchain as part of, or in association with, the smart contract itself. By performing such a check, a signed request corresponding to a particular smart contract on a particular blockchain may not be used to perform an action for a different smart contract and/or a smart contract on a different blockchain.

If it is determined that the request includes the correct chain ID and smart contract ID, then at 2310 a determination is made as to whether the request is signed by the signatures corresponding with the function name and parameters included with the request. In some embodiments, as discussed with respect to the method 2100 shown in FIG. 21 , a signature collected as part of a smart contract multi-signature policy execution procedure may include not only a key associated with the signer's account, but also information about the function name, parameters, smart contract, and chain ID associated with the request. By performing such a check, the smart contract function and parameter values may not be altered after the requested action is signed.

If it is determined that the request is signed by the signatures corresponding with the function name and parameters included with the request, then at 2312 a determination is made as to whether the signatures comply with the requisite number and roles identified in the multi-signature policy. According to various embodiments, the determination may be made by identifying any accounts that have signed the crypto transaction envelope, and determining the roles associated with those accounts. Then, the number of signatures and the identities and roles associated with the signing accounts may be compared with the smart contract multi-signature policy to determine whether the criteria specified by the smart contract multi-signature policy have been satisfied.

If it is determined that the signatures comply with the requisite number and roles identified in the multi-signature policy, then at 2314 the smart contract function is executed using the parameter values. According to various embodiments, the executed smart contract function may be any function associated with the smart contract. For example, the executed smart contract function may involve minting a token, updating a role, transferring a token, or performing any other action or combination of actions.

Otherwise, if instead it is determined that any of the verification operations performed at 2306 through 2312 have failed, then the one or more requested actions are not executed. In this way, only actions that are authorized by accounts in accordance with the smart contract multi-signature policy are executed, thus ensuring that actions are performed only when authorized.

The nonce is recorded on the blockchain at 2316. In some embodiments, recording the nonce on the blockchain may involve executing a blockchain transaction to store both the nonce value and the smart contract identifier. By later checking each nonce value recorded in association with the smart contract at operation 2306, the same request may not be repeatedly executed.

The database system is updated at 2318. According to various embodiments, the database system may be updated by transmitting information from the blockchain to the database system. Examples of the types of blockchain-related information that may be stored in the database system are discussed with respect to FIG. 3 . For instance, the database system may be updated to reflect one or more outcomes of the request received at 2302. Such information may be transmitted by the smart contract itself after, or as part of, the execution of a request to perform an action. Alternatively, or additionally, such information may be retrieved by the database system by directly observing the information stored on the blockchain.

According to various embodiments, the operations performed in the method 2300 shown in FIG. 23 , or indeed in any of the methods described herein, may be performed in an order different from that shown. For instance, the verification activities discussed with respect to operations 2306 through 2312 may be performed in a different sequence, in parallel, or in some combination thereof.

Any of the disclosed implementations may be embodied in various types of hardware, software, firmware, computer readable media, and combinations thereof. For example, some techniques disclosed herein may be implemented, at least in part, by computer-readable media that include program instructions, state information, etc., for configuring a computing system to perform various services and operations described herein. Examples of program instructions include both machine code, such as produced by a compiler, and higher-level code that may be executed via an interpreter. Instructions may be embodied in any suitable language such as, for example, Apex, Java, Python, C++, C, HTML, any other markup language, JavaScript, ActiveX, VBScript, or Perl. Examples of computer-readable media include, but are not limited to: magnetic media such as hard disks and magnetic tape; optical media such as flash memory, compact disk (CD) or digital versatile disk (DVD); magneto-optical media; and other hardware devices such as read-only memory (“ROM”) devices and random-access memory (“RAM”) devices. A computer-readable medium may be any combination of such storage devices.

In the foregoing specification, various techniques and mechanisms may have been described in singular form for clarity. However, it should be noted that some embodiments include multiple iterations of a technique or multiple instantiations of a mechanism unless otherwise noted. For example, a system uses a processor in a variety of contexts but can use multiple processors while remaining within the scope of the present disclosure unless otherwise noted. Similarly, various techniques and mechanisms may have been described as including a connection between two entities. However, a connection does not necessarily mean a direct, unimpeded connection, as a variety of other entities (e.g., bridges, controllers, gateways, etc.) may reside between the two entities.

In the foregoing specification, reference was made in detail to specific embodiments including one or more of the best modes contemplated by the inventors. While various implementations have been described herein, it should be understood that they have been presented by way of example only, and not limitation. For example, some techniques and mechanisms are described herein in the context of on-demand computing environments that include MTSs. However, the techniques of disclosed herein apply to a wide variety of computing environments. Particular embodiments may be implemented without some or all of the specific details described herein. In other instances, well known process operations have not been described in detail in order to avoid unnecessarily obscuring the disclosed techniques. Accordingly, the breadth and scope of the present application should not be limited by any of the implementations described herein, but should be defined only in accordance with the claims and their equivalents. 

1. A method comprising: receiving via a communication interface at a database system a request to perform an action related to a smart contract deployed on a blockchain, the smart contract associated with a multi-signature authorization policy including one or more signature criteria for performing the action; transmitting a respective signature request message to a plurality of recipients, the signature request messages identifying the smart contract and the action; receiving a plurality of signature response messages, two or more of the signature response messages including a respective signature generated based on a respective private cryptographic key; and transmitting an action execution message to execute the smart contract to perform the action, the action execution message including the two or more signatures, the smart contract being configured to perform the action when the two or more signatures comply with the multi-signature authorization policy.
 2. The method recited in claim 1, wherein the action is a function included in the smart contract.
 3. The method recited in claim 2, wherein the action includes one or more parameter values supplied to the function upon execution.
 4. The method recited in claim 3, wherein the action execution message includes a function identifier and the one or more parameter values, and wherein the two or more of the signature response messages include a signed function identifier and one or more signed parameter values corresponding with the function identifier and the one or more parameter values, the signed function identifier and the signed one or more parameter values being signed by the respective private cryptographic key.
 5. The method recited in claim 1, wherein the multi-signature authorization policy is stored on the blockchain.
 6. The method recited in claim 5, wherein the action includes a request to update the multi-signature authorization policy by recording on the blockchain an updated multi-signature authorization policy.
 7. The method recited in claim 1, wherein the smart contract is associated with a plurality of roles, and wherein the one or more signature criteria identify a designated role of the plurality of roles for which a signature is needed to perform the action, and wherein a designated recipient of the plurality of recipients is assigned the designated role.
 8. The method recited in claim 1, wherein the action execution message includes a blockchain identifier and a smart contract identifier, and wherein the two or more of the signature response messages include a signed blockchain identifier and a signed smart contract identifier corresponding with the blockchain identifier and the smart contract identifier, the signed blockchain identifier and the signed smart contract identifier being signed by the respective private cryptographic key.
 9. The method recited in claim 1, wherein the one or more signature criteria identify a designated number of signatures needed to perform the action.
 10. The method recited in claim 1, wherein the one or more signature criteria identify a designated account as a mandatory signer for performing the action.
 11. The method recited in claim 1, wherein the action execution message is transmitted when it is determined at the database system that the one or more signature criteria are satisfied.
 12. The method recited in claim 1, wherein the action execution message includes a nonce value, and wherein the smart contract is configured to record the nonce value on the blockchain after receipt of the action execution message, and wherein the smart contract is configured to perform the action only when it is determined that the nonce value has not been previously recorded to the blockchain.
 13. The method recited in claim 1, the method further comprising: updating the database system to reflect transmission of the action execution message.
 14. The method recited in claim 1, wherein a designated one of the recipients corresponds with on a crypto wallet associated with the blockchain.
 15. The method recited in claim 1, wherein a designated one of the recipients corresponds with a user account within the database system.
 16. One or more non-transitory computer-readable media configured to perform a method, the method comprising: receiving via a communication interface at a database system a request to perform an action related to a smart contract deployed on a blockchain, the smart contract associated with a multi-signature authorization policy including one or more signature criteria for performing the action; transmitting a respective signature request message to a plurality of recipients, the signature request messages identifying the smart contract and the action; receiving a plurality of signature response messages, two or more of the signature response messages including a respective signature generated based on a respective private cryptographic key; and transmitting an action execution message to execute the smart contract to perform the action, the action execution message including the two or more signatures, the smart contract being configured to perform the action when the two or more signatures comply with the multi-signature authorization policy.
 17. A database system comprising: a communication interface configured to receive a request to perform an action related to a smart contract deployed on a blockchain, the smart contract associated with a multi-signature authorization policy including one or more signature criteria for performing the action, wherein the communication interface is further configured to transmit a respective signature request message to a plurality of recipients, the signature request messages identifying the smart contract and the action; memory configured to store plurality of signature response messages received by the database system, two or more of the signature response messages including a respective signature generated based on a respective private cryptographic key; and a processor configured to cause the communication interface to transmit an action execution message to execute the smart contract to perform the action, the action execution message including the two or more signatures, the smart contract being configured to perform the action when the two or more signatures comply with the multi-signature authorization policy.
 18. The database system recited in claim 17, wherein the action is a function included in the smart contract, wherein the action includes one or more parameter values supplied to the function upon execution, and wherein the action execution message includes a function identifier and the one or more parameter values, and wherein the two or more of the signature response messages include a signed function identifier and one or more signed parameter values corresponding with the function identifier and the one or more parameter values, the signed function identifier and the signed one or more parameter values being signed by the respective private cryptographic key.
 19. The database system recited in claim 18, wherein the multi-signature authorization policy is stored on the blockchain, and wherein the action includes a request to update the multi-signature authorization policy by recording on the blockchain an updated multi-signature authorization policy.
 20. The database system recited in claim 17, wherein the action execution message includes a nonce value, and wherein the smart contract is configured to record the nonce value on the blockchain after receipt of the action execution message, and wherein the smart contract is configured to perform the action only when it is determined that the nonce value has not been previously recorded to the blockchain. 